cbcvebase.
CVE-2022-34918
published 2022-07-04

CVE-2022-34918: An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local…

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.13%
91.3th percentile
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 5.18.14-1 (bookworm)linux 5.18.14-1 (bookworm)
linuxlinux_kernel>= 0 < 5.10.127-25.10.127-2
linuxlinux_kernel>= 0 < 5.18.14-15.18.14-1
linuxlinux_kernel>= 0 < 5.18.14-15.18.14-1
linuxlinux_kernel>= 0 < 5.18.14-15.18.14-1
linuxlinux_kernel>= 0 < 4.15.0-191.2024.15.0-191.202
linuxlinux_kernel>= 0 < 5.4.0-124.1405.4.0-124.140
linuxlinux_kernel>= 0 < 5.15.0-43.465.15.0-43.46
linuxlinux_kernel>= 0 < 4.4.0-230.2644.4.0-230.264
linuxlinux_kernel>= 0 < 4.4.0-231.2654.4.0-231.265
linuxlinux_kernel>= 0 < 4.15.0-191.2024.15.0-191.202
linuxlinux_kernel>= 0 < 5.4.0-124.1405.4.0-124.140
linuxlinux_kernel>= 0 < 5.15.0-46.495.15.0-46.49
linuxlinux_kernel>= 4.1 < 4.14.3164.14.316
linuxlinux_kernel>= 4.15 < 4.19.2844.19.284
linuxlinux_kernel>= 4.20 < 5.4.2445.4.244
linuxlinux_kernel>= 5.11 < 5.15.545.15.54
linuxlinux_kernel>= 5.16 < 5.18.115.18.11
linuxlinux_kernel>= 5.5 < 5.10.1305.10.130

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code path is in nft_setelem_parse_data within net/netfilter/nf_tables_api.c — monitor or audit kernel builds for unpatched versions of this file/function
  • Exploitation requires the attacker to first obtain CAP_NET_ADMIN via an unprivileged user namespace — monitor for unprivileged user namespace creation (e.g., clone(CLONE_NEWUSER)) followed by nftables operations as a precursor to privilege escalation
  • A Metasploit module exists for this vulnerability (netfilter_nft_set_elem_init_privesc) — alert on Metasploit framework artifacts or exploit module names matching this pattern in endpoint telemetry
  • The root trigger is a type confusion bug in nft_set_elem_init leading to a heap buffer overflow — look for anomalous nftables set element initialization calls or kernel heap corruption indicators in crash/audit logs
  • ·Exploitation is local-only and scoped to Linux kernels through 5.18.9; kernels patched at 5.18.14+ (Debian/Ubuntu) are not affected
  • ·Unprivileged user namespaces must be enabled on the system for exploitation to succeed; disabling them (kernel.unprivileged_userns_clone=0) mitigates the attack vector
  • ·Debian fixed versions: bookworm/sid/forky/trixie at 5.18.14-1, bullseye at 5.10.127-2 — systems running older kernel packages remain vulnerable

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.