CVE-2021-22555 - very high - how does one deal with this?

The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allows local users to gain privileges or cause a denial of service (heap memory corruption) via user namespace. This vulnerability is very similar to CVE-2016-3134 (CVSSv3 8.4 High) and CVE-2016-4997 (CVSSv3 7.8 High).

Compile the code below using gcc -m32 -o poc poc.c and run it. The following panic has been observed on Linux 5.4.73 with KASAN:

I’m wondering, how does one go about properly applying a sort of patch to their system, for stuff like this?

So, what I’m reading here is “local user” that needs to be able to run gcc.

And this has been used to escape k8s in a hacking contest, so I’m reading.

I see in the top right of the page github page: “patched kernels”.

So, on a Ubuntu system, one would have to apt update and then apt upgrade the kernel, and I suppose reboot?

Ubuntu has some kind of “live kernel reload” stuff but I don’t know how that works.

I sometimes see updates like 4.6.0-132 becoming 4.6.0-134(Making number up here). I suppose that’s not good enough?

Livepatch, yes.

For small installations it’s free, I’m pretty sure they want enterprise to pay though.

Ahh: Canonical Livepatch Service | Security | Ubuntu

Free for 3 machines.


I am not sure if this is a viable mitigation, but if you are worried about heap corruptions in general and can live with a small performance penalty you can look into the hardened_malloc implementation. It was developed from the ground up by Daniel Micay, the developer of GrapheneOS, and has been recommended to be used for critical applications.