cbcvebase.
CVE-2022-0185
published 2022-02-11

CVE-2022-0185: A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the…

PriorityP185high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-11
Exploited in the wild
EPSS
25.15%
97.7th percentile
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.15.15-1 (bookworm)linux 5.15.15-1 (bookworm)
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.92-15.10.92-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 5.15.15-15.15.15-1
linuxlinux_kernel>= 0 < 5.4.0-96.1095.4.0-96.109
linuxlinux_kernel>= 5.1 < 5.4.1735.4.173
linuxlinux_kernel>= 5.11 < 5.15.165.15.16
linuxlinux_kernel>= 5.16 < 5.16.25.16.2
linuxlinux_kernel>= 5.5 < 5.10.935.10.93
msrccbl2_kernel_5.15.26.1-1_on_cbl_mariner_2.0
msrccm1_kernel_5.10.93.1-4_on_cbl_mariner_1.0
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

commandfsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0);
commandunshare -Urm
sigma
index=main sourcetype=ProcessRollup2* event_simpleName=ProcessRollup2 event_platform=Lin OciContainerId=* | search FileName=unshare | stats dc(aid) as ContainerAid count(aid) as detectionCount, values(ComputerName) as endpointNames by ParentBaseFileName, FileName, UID_decimal | sort - detectionCount
  • CVE-2022-0185 exploits syscalls (fsconfig/heap overflow in fsconfig()) permitted by default seccomp profiles, enabling container breakouts — alert on fsconfig() syscall usage from containerized processes.
  • Hunt for 'unshare' process executions inside Kubernetes pods (OciContainerId present) using SIEM/EDR telemetry, correlating by ParentBaseFileName, FileName=unshare, and UID_decimal.
  • ·The exploit requires unprivileged user namespaces to be enabled (kernel.unprivileged_userns_clone=1 or user.max_user_namespaces>0). Disabling unprivileged user namespaces blocks the privilege escalation path used to obtain CAP_SYS_ADMIN before triggering the heap overflow.
  • ·Default seccomp profiles do not block fsconfig() syscall, meaning CVE-2022-0185 can be triggered even in environments with basic seccomp enforcement unless the profile is explicitly hardened to deny fsconfig.

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vulncheck8.4HIGH
cisa8.4HIGH
vendor_debian8.4HIGH
vendor_msrc8.4HIGH
vendor_redhat8.4HIGH
vendor_ubuntu8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.