CVE-2022-24122 - Escalating Privileges via Use-After-Free in Linux kernel/ucount.c (Linux 5.14–5.16.4)

A critical vulnerability, CVE-2022-24122, was discovered in the Linux kernel, specifically affecting versions 5.14 through 5.16.4. The issue lies in the kernel's kernel/ucount.c file, related to unprivileged user namespaces. If you’re running a distribution that enables unprivileged namespaces and supports user creation, your system might be vulnerable to use-after-free bugs and local privilege escalation. This post will break down the flaw in simple terms, explaining what went wrong, how it can be exploited, how to spot affected systems, and where to find more technical details.

Background: What Are User Namespaces and Ucounts?

In Linux, user namespaces let processes have different views of user and group IDs. They are a powerful sandboxing feature, but also enlarge the kernel's attack surface.

The kernel keeps track of how many resources each user or group consumes via ucounts structures. These are reference-counted objects; proper lifetime management is crucial to prevent bugs.

The Vulnerability in Plain English

CVE-2022-24122 happens because ucounts objects tied to a user namespace can live longer than that namespace. When the user namespace is freed (deleted), the associated ucounts objects might still be around, holding pointers to now-invalid memory. Later, any use of these stale ucounts leads to what's called a use-after-free bug.

Use-after-free can result in the kernel performing prohibited actions, causing a crash, corrupting data, or — worst of all — letting an attacker escalate their privileges to root.

The attack does not require special permissions: Any user with access to unprivileged user namespaces could exploit it.


## The Vulnerable Code (kernel/ucount.c)

Here's a snippet showing relevant logic (simplified for clarity)

struct ucounts {
    // ... various fields ...
    struct user_namespace *ns;
    // ... reference count, etc. ...
};

struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid) {
    // finds or allocates a ucounts struct per-user per-namespace
    // ... (find-in-map or allocate new) ...
    refcount_inc(&ucounts->ref);
    return ucounts;
}

void put_ucounts(struct ucounts *ucounts) {
    if (refcount_dec_and_test(&ucounts->ref)) {
        // when refcount reaches zero, free the ucounts object
        kfree(ucounts);
    }
}

Now, if the user namespace is deleted but a process is still holding a ucounts reference (e.g., a delayed operation or some resource), the kernel may use a freed pointer if it refers to ucounts->ns.

Goal: Elevate privileges from an unprivileged user to root.

1. Create Many User Namespaces: The attacker creates a large number of new user namespaces, each with their own ucounts structures.
2. Cause Namespace Teardown without Cleaning ucounts: The attacker manipulates timing so that ucounts outlives the namespace, possibly by using certain system calls and processes.
3. Trigger Use-after-Free: Now, by referencing the freed ucounts (via fork, exec, or RLIMIT operations), the attacker can corrupt memory or control kernel logic.
4. Leverage to Escalate Privilege: With careful manipulation, this can be used to overwrite sensitive kernel structures or trick the kernel into running code with root privileges.

Here’s a pseudo-code exploit sketch (simplified)

# Run as an unprivileged user
while true; do
  unshare -U -r # create user namespace & map root inside
  # fork some process to hold references
done

# In parallel, trigger resource limit or user count operations to poke at stale ucounts
prlimit --nproc=999999 $$

Running Linux kernel 5.14—5.16.4

- CONFIG_USER_NS=y in your kernel config (check with zgrep USER_NS /proc/config.gz)
- /proc/sys/user/max_user_namespaces is nonzero

Mitigation & Patch

Upgrading to Linux 5.16.5 or newer is the best fix.

You can also disable unprivileged user namespaces (breaks some container/sandbox apps)

# as root
sysctl -w kernel.unprivileged_userns_clone=

Or, set the kernel boot param

user_namespace.enable=

References and Original Disclosure

- RedHat bug tracker
- Linux kernel commit fixing the issue
- Exploit PoC (GitHub)
- CVE Details page

Conclusion

CVE-2022-24122 is a classic example of the dangers lurking in kernel code tied to sandboxing features like user namespaces. The bug allows attackers to bend the kernel to their will — potentially letting any user become root.

If you manage Linux systems, patch up ASAP or disable unprivileged namespaces if possible.

Want to learn more? Check the original patch and public advisories for technical deep dives.

Timeline

Published on: 01/29/2022 22:15:00 UTC
Last modified on: 04/01/2022 14:16:00 UTC