CVE-2022-1998: Linux kernel flaw enabled local privilege escalation

Recently, the seclists issued a risk notice for the Linux kernel privilege escalation vulnerability. The vulnerability number is CVE-2022-1998, the vulnerability level is moderate. Attackers can use this vulnerability to obtain root permissions and launch Denial of Service (DoS) attacks on the server.

The CVE-2022-1998 affects the function copy_event_to_user of the component File System Notification Handler. A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). Local attackers can cause privilege escalation via manipulation with an unknown input to the affected host. Because the vulnerability exists in the kernel, if the vulnerability is successfully exploited, the highest system privilege will be directly obtained.

“If the copy_info_records_to_user() call in copy_event_to_user() fails, it’ll erroneously call put_unused_fd(fd) + fput(f) on a file that was already populated by fd_install(). The erroneous code path, however, is only reachable by privileged users, as one needs to pass the “!FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV)” test which won’t if one isn’t already capable(CAP_SYS_ADMIN), i.e. has the CAP_SYS_ADMIN capability in the _init_ user namespace, which basically means root,” read the main branch.

However, this vulnerability has been patched and merged into the main branch. Popular Linux distributions such as Red Hat Enterprise Linux, Debian, Ubuntu, and SUSE have also adopted the patch. Therefore, users are recommended to update the system as soon as possible.