New Linux Bug in Netfilter Firewall Module Being Leveraged for Root Access (14th March 2022)

Ref# AL2022_15 | Date: Mar 14th 2022


A local attacker could use a newly discovered security vulnerability in the Linux kernel to gain elevated privileges on susceptible systems and execute arbitrary code, escape containers, or cause a kernel panic.


A local attacker with a user account on the system can exploit this weakness to obtain access to out-of-bounds memory, potentially causing a system crash or a privilege escalation threat.

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks.

The vulnerability, dubbed CVE-2022-25636, affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap out-of-bounds write in the kernel”s netfilter subcomponent.

CVE-2022-25636 is a vulnerability in the framework”s handling of the hardware offload capability, which might be exploited by a malicious local user to cause a denial-of-service (DoS) or execute arbitrary code.

How it works

Even though the code deals with hardware offload, this can be exploited when targeting network devices without offload functionality (e.g. lo), as the bug is activated before the rule creation fails. While nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace and utilize this as a (normal) unprivileged user.

Since the variables written out of bounds is conveniently a pointer to a net_device structure, this can easily be transformed into kernel/local privilege escalation.


There are currently no updates out to circumvent this vulnerability but its highly recommended to be on the alert for future updates to apply in a timely fashion.

For more information on the affected releases, you can follow these URLs:

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: New Linux Bug in Netfilter Firewall Module.pdf