PT-2025-25911 · Linux+6 · Linux Kernel+6

Published

2022-08-25

·

Updated

2025-09-09

·

CVE-2022-49985

CVSS v3.1

7.1

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.19.0
Description The issue is related to the use of tnum range in array range checking for poke descriptors in the Linux kernel. A problem arises when a range of tnum range(0, map->max entries - 1) has limited ability to represent the concrete tight range with the tnum as the set of resulting states from value + mask can result in a superset of the actual intended range. This can cause a tnum in(range, reg->var off) check to yield true when it shouldn't. The issue was reported by Hsin-Wei and is based on a customized syzkaller.
Recommendations For Linux kernel versions prior to 5.19.0, update to version 5.19.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable bpf int jit compile function until a patch is available. Avoid using the reg->var off variable in the affected array range checking until the issue is resolved.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2025:15471
ALSA-2025:15472
BDU:2026-02025
CESA-2025_15471
CESA-2025_15472
CVE-2022-49985
INFSA-2025_15471
INFSA-2025_15472
RHSA-2023:2458
RHSA-2023_2458
RHSA-2025:15471
RHSA-2025:15472
RHSA-2025:17570
RHSA-2025_15471
RHSA-2025_15472
RHSA-2026:5693
RHSA-2026:5732
SUSE-SU-2025:02264-1
SUSE-SU-2025:02308-1
SUSE-SU-2025:02320-1
SUSE-SU-2025:02321-1
SUSE-SU-2025:02322-1
SUSE-SU-2025:02537-1
SUSE-SU-2025:2264-1
SUSE-SU-2025_02264-1
SUSE-SU-2025_02308-1
SUSE-SU-2025_02537-1

Affected Products

Almalinux
Astra Linux
Centos
Linux Kernel
Red Hat
Rocky Linux
Suse