Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185)
Two more famous LPEs broadening 'THE tool' coverage:
af_packet CVE-2017-7308 (Andrey Konovalov, Mar 2017):
- AF_PACKET TPACKET_V3 ring setup integer overflow → heap write-where
- Fills 2017 coverage gap
- kernel_range: 3.18.49 / 4.4.57 / 4.9.18 / 4.10.6 / mainline 4.11+
- Needs CAP_NET_RAW via user_ns clone
- Famous as the canonical 'userns + AF_PACKET → root' research-era LPE
fuse_legacy CVE-2022-0185 (William Liu / Crusaders-of-Rust, Jan 2022):
- legacy_parse_param fsconfig heap OOB → cross-cache UAF → root
- **Container-escape angle** — relevant to rootless docker/podman/snap
(the system admin persona's nightmare)
- kernel_range: 5.4.171 / 5.10.91 / 5.15.14 / 5.16.2 / mainline 5.17+
- Needs user_ns + mount_ns to reach legacy_load() code path
- Originally reported as FUSE-specific but actually applies to any
fs-mount path from userns (cgroup2, etc.)
Both detect-only initially; full exploits in follow-ups.
Coverage by year now:
2016: dirty_cow 🟢
2017: af_packet 🔵
2019: ptrace_traceme 🔵
2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵
2022: dirty_pipe, cls_route4, fuse_legacy 🟢/🔵/🔵
2023: entrybleed 🟢
2024: nf_tables 🔵
2026: copy_fail family (×5) 🟢
16 modules total. Build clean. Scan on kctf-mgr: 11 OK / 5 VULNERABLE.
leviathan
a52f5a657f