cbcvebase.
CVE-2021-22600
published 2022-01-26

CVE-2021-22600: A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny…

PriorityP182high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-02
Exploited in the wild
EPSS
5.92%
92.3th percentile
A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

Affected

22 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianlinux< linux 5.15.15-1 (bookworm)linux 5.15.15-1 (bookworm)
googleandroid
linuxlinux_kernel>= 0 < 5.10.92-15.10.92-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 4.15.0-169.1774.15.0-169.177
linuxlinux_kernel>= 0 < 5.4.0-100.1135.4.0-100.113
linuxlinux_kernel>= 4.14.175 < 4.14.2594.14.259
linuxlinux_kernel>= 4.19.114 < 4.19.2224.19.222
linuxlinux_kernel>= 5.11 < 5.15.115.15.11
linuxlinux_kernel>= 5.4.29 < 5.4.1685.4.168
linuxlinux_kernel>= 5.5.14 < 5.10.885.10.88
linux_kernelkernel>= unspecified < 5.4.1685.4.168
linux_kernelkernel>= unspecified < 5.10.885.10.88
linux_kernelkernel>= unspecified < 5.15.115.15.11
linux_kernelkernel>= unspecified < 5.16-rc65.16-rc6
msrccbl2_kernel_5.15.18.1-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

hashec6af094ea28f0f2dda1a6a33b14cd57e36a9755
pathnet/packet/af_packet.c
  • The vulnerability is triggered via crafted syscalls targeting packet_set_ring() in the AF_PACKET socket implementation; monitor for unusual AF_PACKET socket creation (socket(AF_PACKET, ...)) by unprivileged local users.
  • This CVE is listed in CISA KEV as actively exploited; prioritize detection of local privilege escalation attempts via the packet socket (AF_PACKET) subsystem.
  • Exploitation results in a double-free condition; kernel crash (system crash) or unexpected privilege escalation of a local process to root are key behavioral indicators.
  • ·Fix is tied to a specific upstream kernel commit; systems must be rebuilt or upgraded past commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 to be remediated.
  • ·Debian fixed versions: bookworm/forky/sid/trixie resolved in 5.15.15-1; bullseye resolved in 5.10.92-1. Kernels older than these remain vulnerable.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.0HIGH
vulncheck6.6MEDIUM
cisa7.0HIGH
vendor_msrc7.0HIGH
vendor_debian6.6MEDIUM
vendor_redhat6.6MEDIUM
vendor_ubuntu6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.