cbcvebase.
CVE-2022-47938
published 2022-12-23

CVE-2022-47938: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for…

PriorityP349medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
58.46%
99.0th percentile
An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.19.6-1 (bookworm)linux 5.19.6-1 (bookworm)
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 0 < 5.19.6-15.19.6-1
linuxlinux_kernel>= 5.15 < 5.19.25.19.2
msrccbl2_kernel_5.15.86.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Target the SMB2_TREE_CONNECT command handler in the ksmbd kernel module; the vulnerability is triggered by malformed/oversized user-supplied data in SMB2_TREE_CONNECT requests that causes an out-of-bounds read in fs/ksmbd/smb2misc.c
  • Authentication is required to exploit this vulnerability; monitor for authenticated SMB sessions followed by anomalous SMB2_TREE_CONNECT requests that trigger kernel OOPS/crash (DoS) on Linux hosts running ksmbd (kernel 5.15–5.19 before 5.19.2)
  • Inspect SMB2_TREE_CONNECT packets for data that extends past the end of the allocated buffer; a kernel OOPS on the target system is a strong indicator of exploitation
  • ·Only Linux kernels with the ksmbd module enabled (in-kernel SMB server) versions 5.15 through 5.19 before 5.19.2 are affected; standard CIFS client-side configurations are not impacted
  • ·Red Hat Enterprise Linux 6, 8, and 9 (kernel and kernel-rt) are confirmed Not Affected; RHEL 7 is out of support scope — detection efforts should focus on upstream/vanilla kernels and distros shipping ksmbd in the affected range
  • ·Exploitation requires prior authentication to the SMB service; unauthenticated attack surface is not present for this CVE

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.