CVE-2022-49961: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO
In the Linux kernel, the following vulnerability has been resolved:
bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO
Precision markers need to be propagated whenever we have an ARG_CONST_*
style argument, as the verifier cannot consider imprecise scalars to be
equivalent for the purposes of states_equal check when such arguments
refine the return value (in this case, set mem_size for PTR_TO_MEM). The
resultant mem_size for the R0 is derived from the constant value, and if
the verifier incorrectly prunes states considering them equivalent where
such arguments exist (by seeing that both registers have reg->precise as
false in regsafe), we can end up with invalid programs passing the
verifier which can do access beyond what should have been the correct
mem_size in that explored state.
To show a concrete example of the problem:
0000000000000000 <prog>:
0: r2 = *(u32 *)(r1 + 80)
1: r1 = *(u32 *)(r1 + 76)
2: r3 = r1
3: r3 += 4
4: if r3 > r2 goto +18 <LBB5_5>
5: w2 = 0
6: *(u32 *)(r1 + 0) = r2
7: r1 = *(u32 *)(r1 + 0)
8: r2 = 1
9: if w1 == 0 goto +1 <LBB5_3>
10: r2 = -1
0000000000000058 <LBB5_3>:
11: r1 = 0 ll
13: r3 = 0
14: call bpf_ringbuf_reserve
15: if r0 == 0 goto +7 <LBB5_5>
16: r1 = r0
17: r1 += 16777215
18: w2 = 0
19: *(u8 *)(r1 + 0) = r2
20: r1 = r0
21: r2 = 0
22: call bpf_ringbuf_submit
00000000000000b8 <LBB5_5>:
23: w0 = 0
24: exit
For the first case, the single line execution's exploration will prune
the search at insn 14 for the branch insn 9's second leg as it will be
verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will
always be 0 so at runtime we don't get error for being greater than
UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just
sees reg->precise as false for both r2 registers in both states, hence
considers them equal for purposes of states_equal.
If we propagated precise markers using the backtracking support, we
would use the precise marking to then ensure that old r2 (UINT_MAX) was
within the new r2 (1) and this would never be true, so the verification
would rightfully fail.
The end result is that the out of bounds access at instruction 19 would
be permitted without this fix.
Note that reg->precise is always set to true when user does not have
CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static
or global functions)), hence this is only a problem when precision marks
need to be explicitly propagated (i.e. privileged users with CAP_BPF).
A simplified test case has been included in the next patch to prevent
future regressions.
Security readout for executives and security teams
Plain-English summary
A Linux kernel eBPF verifier bug can allow an invalid privileged BPF program to pass safety checks, creating an out-of-bounds memory access condition. The source indicates this mainly affects users or processes with CAP_BPF, not ordinary unprivileged users. No active exploitation is reported in the supplied sources.
Executive priority
Treat as a kernel hardening update with elevated priority where CAP_BPF is available beyond core administrators. It is less urgent than a remotely exploitable bug, but important for shared infrastructure and systems running privileged observability or security tooling.
Technical view
The verifier failed to propagate precision markers for ARG_CONST_ALLOC_SIZE_OR_ZERO. State pruning could treat different scalar values as equivalent, deriving an incorrect PTR_TO_MEM size after bpf_ringbuf_reserve and permitting an out-of-bounds access that should fail verification.
Likely exposure
Exposure is most relevant on Linux systems running affected kernel versions where trusted or compromised privileged processes can load BPF programs with CAP_BPF. The supplied version data is limited, so distro backport status must be checked.
Exploitation context
The CVE record is not marked KEV, and the supplied sources do not claim active exploitation. The source describes a verifier bypass condition requiring privileged BPF capability, which narrows practical exposure but remains important on shared, container, or observability-heavy hosts.
Researcher notes
The core issue is verifier state equivalence with imprecise scalars influencing returned memory size. The source explicitly notes CAP_BPF scope and says a regression test followed in the next patch, but the supplied bundle does not include CVSS, CWE, exploit evidence, or distro-specific fixed versions.
Mitigation direction
Apply Linux kernel updates containing the referenced stable fixes.
Check distribution advisories for backported fixes before judging by version alone.
Restrict CAP_BPF to trusted administrative workloads only.
Review container and service capability grants for unnecessary BPF access.
Validation and detection
Inventory Linux kernel versions across exposed servers and workloads.
Confirm whether vendor kernels include the referenced upstream stable commits.
Identify processes, containers, or users granted CAP_BPF.
Review BPF program loading policies on multi-tenant systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49961 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:00 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.