What is CVE-2022-48935?

CVE-2022-48935 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a Use After Free flaw (CWE-416), affecting Linux kernel versions from 5.5 onward and patched in 5.10.198, 5.15.26, 5.16.12 and others. CVE-2022-48935 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-48935?

CVE-2022-48935 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2022-48935?

Yes, CVE-2022-48935 has been patched. Fixed versions include 5.10.198, 5.15.26, 5.16.12 and others. If you are running Linux kernel 5.5 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-48935 actively exploited?

CVE-2022-48935 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/416.html

CVE-2022-48935

Medium

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.

Package Linux Kernel

Published 2024-08-22

Last modified 2025-06-19

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-416

CVE-2022-48935 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

Affected versions

Linux kernel versions 5.5 and later are affected. Fixed in 5.10.198, 5.15.26, 5.16.12, 5.17 and their respective stable series.

Affected from

≥ 5.5

Fixed in

✓ 5.10.198 5.10.x ✓ 5.15.26 5.15.x ✓ 5.16.12 5.16.x ✓ 5.17

References

The following references provide additional information about CVE-2022-48935 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27
Patch

4 patch commits total View all on NVD

Details

CVE ID CVE-2022-48935

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-08-22

Modified 2025-06-19

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2022-48935?

CVE-2022-48935 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 5.5 onward and has been patched in 5.10.198, 5.15.26, 5.16.12 and others. CVE-2022-48935 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2022-48935?

CVE-2022-48935 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2022-48935?

Yes — CVE-2022-48935 has been patched. Fixed versions include 5.10.198, 5.15.26, 5.16.12 and others. If you are running Linux kernel 5.5 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-48935 actively exploited?

No — CVE-2022-48935 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →