LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49961: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO

In the Linux kernel, the following vulnerability has been resolved: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO Precision markers need to be propagated whenever we have an ARG_CONST_* style argument, as the verifier cannot consider imprecise scalars to be equivalent for the purposes of states_equal check when such arguments refine the return value (in this case, set mem_size for PTR_TO_MEM). The resultant mem_size for the R0 is derived from the constant value, and if the verifier incorrectly prunes states considering them equivalent where such arguments exist (by seeing that both registers have reg->precise as false in regsafe), we can end up with invalid programs passing the verifier which can do access beyond what should have been the correct mem_size in that explored state. To show a concrete example of the problem: 0000000000000000 <prog>: 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: if r3 > r2 goto +18 <LBB5_5> 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: if w1 == 0 goto +1 <LBB5_3> 10: r2 = -1 0000000000000058 <LBB5_3>: 11: r1 = 0 ll 13: r3 = 0 14: call bpf_ringbuf_reserve 15: if r0 == 0 goto +7 <LBB5_5> 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: call bpf_ringbuf_submit 00000000000000b8 <LBB5_5>: 23: w0 = 0 24: exit For the first case, the single line execution's exploration will prune the search at insn 14 for the branch insn 9's second leg as it will be verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will always be 0 so at runtime we don't get error for being greater than UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just sees reg->precise as false for both r2 registers in both states, hence considers them equal for purposes of states_equal. If we propagated precise markers using the backtracking support, we would use the precise marking to then ensure that old r2 (UINT_MAX) was within the new r2 (1) and this would never be true, so the verification would rightfully fail. The end result is that the out of bounds access at instruction 19 would be permitted without this fix. Note that reg->precise is always set to true when user does not have CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static or global functions)), hence this is only a problem when precision marks need to be explicitly propagated (i.e. privileged users with CAP_BPF). A simplified test case has been included in the next patch to prevent future regressions.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A Linux kernel eBPF verifier bug can allow an invalid privileged BPF program to pass safety checks, creating an out-of-bounds memory access condition. The source indicates this mainly affects users or processes with CAP_BPF, not ordinary unprivileged users. No active exploitation is reported in the supplied sources.

Executive priority

Treat as a kernel hardening update with elevated priority where CAP_BPF is available beyond core administrators. It is less urgent than a remotely exploitable bug, but important for shared infrastructure and systems running privileged observability or security tooling.

Technical view

The verifier failed to propagate precision markers for ARG_CONST_ALLOC_SIZE_OR_ZERO. State pruning could treat different scalar values as equivalent, deriving an incorrect PTR_TO_MEM size after bpf_ringbuf_reserve and permitting an out-of-bounds access that should fail verification.

Likely exposure

Exposure is most relevant on Linux systems running affected kernel versions where trusted or compromised privileged processes can load BPF programs with CAP_BPF. The supplied version data is limited, so distro backport status must be checked.

Exploitation context

The CVE record is not marked KEV, and the supplied sources do not claim active exploitation. The source describes a verifier bypass condition requiring privileged BPF capability, which narrows practical exposure but remains important on shared, container, or observability-heavy hosts.

Researcher notes

The core issue is verifier state equivalence with imprecise scalars influencing returned memory size. The source explicitly notes CAP_BPF scope and says a regression test followed in the next patch, but the supplied bundle does not include CVSS, CWE, exploit evidence, or distro-specific fixed versions.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Check distribution advisories for backported fixes before judging by version alone.
  • Restrict CAP_BPF to trusted administrative workloads only.
  • Review container and service capability grants for unnecessary BPF access.

Validation and detection

  • Inventory Linux kernel versions across exposed servers and workloads.
  • Confirm whether vendor kernels include the referenced upstream stable commits.
  • Identify processes, containers, or users granted CAP_BPF.
  • Review BPF program loading policies on multi-tenant systems.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49961 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux457f44363a8894135c85b7a9afd2bd8196db24ab, 457f44363a8894135c85b7a9afd2bd8196db24ab, 457f44363a8894135c85b7a9afd2bd8196db24abunaffected
LinuxLinux5.8, 0, 5.15.209, 5.19.8, 6.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.