CVE-2022-49911

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel's netfilter: ipset subsystem allows the hash:net,iface type to add the same network with different interfaces to a set without limitation, leading to huge memory usage or allocation failure. The issue can be reproduced using the ipset command. The fix is to enforce the documented limit of 64 different interfaces for the same network prefix in a single set.

Recommendations To resolve the issue, apply the limit documented in the ipset(8) manpage to prevent allocating huge memory. As a temporary workaround, consider restricting the use of the hash:net,iface type in the ipset subsystem to minimize the risk of exploitation. Avoid using the hash netiface4 add function until the issue is resolved. Restrict access to the hash netiface4 resize function to prevent memory allocation failures.