{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf, cgroup: Fix kernel BUG in purge_effective_progs",
    "id" : "2373515",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373515"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-430",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, cgroup: Fix kernel BUG in purge_effective_progs\nSyzkaller reported a triggered kernel BUG as follows:\n------------[ cut here ]------------\nkernel BUG at kernel/bpf/cgroup.c:925!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0\nCode: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84\n28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48\n8b 0c5\nRSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578\nRBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000\nR13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00\nFS:  00007f68213d2b80(0000) GS:ffff88813bc80000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0\nCall Trace:\n<TASK>\ncgroup_bpf_prog_detach+0xcc/0x100\n__sys_bpf+0x2273/0x2a00\n__x64_sys_bpf+0x17/0x20\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f68214dbcb9\nCode: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff8\nRSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9\nRDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009\nRBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003\nR10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20\nR13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRepetition steps:\nFor the following cgroup tree,\nroot\n|\ncg1\n|\ncg2\n1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs\nattach type is NONE or OVERRIDE.\n2. write 1 to /proc/thread-self/fail-nth for failslab.\n3. detach prog1 for cg1, and then kernel BUG occur.\nFailslab injection will cause kmalloc fail and fall back to\npurge_effective_progs. The problem is that cg2 have attached another prog,\nso when go through cg2 layer, iteration will add pos to 1, and subsequent\noperations will be skipped by the following condition, and cg will meet\nNULL in the end.\n`if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))`\nThe NULL cg means no link or prog match, this is as expected, and it's not\na bug. So here just skip the no match situation." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49970\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49970\nhttps://lore.kernel.org/linux-cve-announce/2025061817-CVE-2022-49970-2d63@gregkh/T" ],
  "name" : "CVE-2022-49970",
  "csaw" : false
}