What is the severity of CVE-2022-49911?

CVE-2022-49911 is rated as a medium severity vulnerability in the Linux kernel.

How do I fix CVE-2022-49911?

The fix for CVE-2022-49911 is included in the patched versions of the Linux kernel, and users should update to the latest stable release.

What systems are affected by CVE-2022-49911?

CVE-2022-49911 affects the Linux kernel, particularly the ipset subsystem which handles firewall services.

Can CVE-2022-49911 lead to denial of service?

Yes, CVE-2022-49911 can potentially allow an attacker to exhaust system memory, leading to denial of service.

Who reported CVE-2022-49911?

CVE-2022-49911 was reported by Daniel Xu.

Vulnerability/
CVE-2022-49911

1/5/2025

CVE-2022-49911: netfilter: ipset: enforce documented limit to prevent allocating huge memory

First published: Thu May 01 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: enforce documented limit to prevent allocating huge memory Daniel Xu reported that the hash:net,iface type of the ipset subsystem does not limit adding the same network with different interfaces to a set, which can lead to huge memory usage or allocation failure. The quick reproducer is $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done The backtrace when vmalloc fails: [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages <...> [Tue Oct 25 00:13:08 2022] Call Trace: [Tue Oct 25 00:13:08 2022] <TASK> [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60 [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180 [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20 [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90 [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710 <...> The fix is to enforce the limit documented in the ipset(8) manpage: > The internal restriction of the hash:net,iface set type is that the same > network prefix cannot be stored with more than 64 different interfaces > in a single set.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Software	Affected Version	How to fix
Linux Kernel

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-49911?
CVE-2022-49911 is rated as a medium severity vulnerability in the Linux kernel.
How do I fix CVE-2022-49911?
The fix for CVE-2022-49911 is included in the patched versions of the Linux kernel, and users should update to the latest stable release.
What systems are affected by CVE-2022-49911?
CVE-2022-49911 affects the Linux kernel, particularly the ipset subsystem which handles firewall services.
Can CVE-2022-49911 lead to denial of service?
Yes, CVE-2022-49911 can potentially allow an attacker to exhaust system memory, leading to denial of service.
Who reported CVE-2022-49911?
CVE-2022-49911 was reported by Daniel Xu.

collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/author
agent/source
agent/tags
agent/event
vendor/linux
canonical/linux kernel

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.