In May 2022, security researchers discovered and disclosed CVE-2022-1974, a serious use-after-free vulnerability in the Linux kernel’s NFC (Near Field Communication) subsystem. This bug could let a local user with CAP_NET_ADMIN privileges leak sensitive information from kernel memory, potentially leading to broader system compromise.
This post explains — in simple language — what this vulnerability is, how it works, shows the exploit code pattern, and provides references for further reading.
1. What Is CVE-2022-1974?
The Linux kernel handles NFC communication through a core library. This system uses “objects” (called kobjects) to manage NFC devices.
The vulnerability is a race condition during the creation and deletion of these kobjects. In simple terms, if two processes simultaneously create and delete the same NFC kobject, the kernel’s memory management can go wrong: one part of the code will try to access memory that was already freed by another part.
This is called a use-after-free bug. If an attacker can trigger this, they can read (or sometimes write) data in kernel memory that they shouldn’t have access to.
3. How the Bug Works
The vulnerability is in the way the NFC subsystem handles reference counting for kobjects in the kernel source file (net/nfc/core.c). If a process rapidly adds and removes NFC devices, a race occurs: the system can end up referencing a kobject that was already freed.
Here is a conceptual snippet (not the real code, but illustrates the race)
// Simulate two threads/processes acting at the same time
// Thread 1: adds kobject
struct kobject *obj = kobject_create();
// Thread 2: deletes kobject
kobject_delete(obj);
// Thread 1: still using obj after deletion!
printk("kobject name: %s\n", kobject_name(obj));
The print statement tries to access information from kobject after it was deleted, leading to a use-after-free.
Here’s a simplified Python pseudo-code that demonstrates the racing logic
import threading
import os
def create_devs():
for i in range(100):
os.system("ip link add type nfc name nfc{}".format(i))
def delete_devs():
for i in range(100):
os.system("ip link del nfc{}".format(i))
t1 = threading.Thread(target=create_devs)
t2 = threading.Thread(target=delete_devs)
t1.start()
t2.start()
t1.join()
t2.join()
*Note: This will only work if your kernel is not patched, your system supports nfcsim, and you have necessary privileges.*
5. Mitigation & Fix
Linux kernel maintainers patched this bug by improving reference counting and proper locking during kobject creation and destruction.
Update your kernel!
This vulnerability was fixed in Linux kernel commit 4b39e7b53c05.
CVE Database Entry:
https://nvd.nist.gov/vuln/detail/CVE-2022-1974
Linux commit fixing the issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4b39e7b53c05
Original patch discussion:
https://lore.kernel.org/all/20220517162331.2259863-2-willemdebruijn.kernel@gmail.com/
Red Hat Security Advisory:
https://access.redhat.com/security/cve/cve-2022-1974
7. Conclusion
CVE-2022-1974 shows how small timing mistakes in low-level code can have big security consequences. Even a local user with limited privileges could poke at these tiny cracks to peek into kernel memory. If you run Linux on servers or desktops, and you use (or even just ship) the NFC kernel modules, make sure you’re running a version that includes the fix.
As always: Keep your systems patched and restrict powerful privileges like CAP_NET_ADMIN as much as possible.
Timeline
Published on: 08/31/2022 16:15:00 UTC
Last modified on: 09/07/2022 15:54:00 UTC