CVE-2022-49142: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: preserve skb_end_offset() in skb_unclone_keeptruesize() syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issues in the blamed commits, but forgot that TCP was possibly shifting data after skb_unclone_keeptruesize() has been used, notably from tcp_retrans_try_collapse(). So we not only need to keep same skb->truesize value, we also need to make sure TCP wont fill new tailroom that pskb_expand_head() was able to get from a addr = kmalloc(...) followed by ksize(addr) Split skb_unclone_keeptruesize() into two parts: 1) Inline skb_unclone_keeptruesize() for the common case, when skb is not cloned. 2) Out of line __skb_unclone_keeptruesize() for the 'slow path'. WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Modules linked in: CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa RSP: 0018:ffffc900063af268 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000 RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003 RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000 R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8 R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155 FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline] tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630 tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914 tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025 tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947 tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719 sk_backlog_rcv include/net/sock.h:1037 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2779 release_sock+0x54/0x1b0 net/core/sock.c:3311 sk_wait_data+0x177/0x450 net/core/sock.c:2821 tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457 tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572 inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2022-49142 is a vulnerability in the Linux kernel's networking stack, specifically related to the handling of socket buffers (sk_buff or skb) in the TCP implementation. The issue arises from improper preservation of the skb's true size (skb->truesize) during skb cloning and data shifting operations, particularly in the function skb_unclone_keeptruesize() and its interaction with TCP retransmission logic in tcp_retrans_try_collapse(). The vulnerability was discovered through syzbot fuzzing and is linked to the kernel's kfence memory error detection mechanism, which invalidates certain assumptions about memory allocation sizes (ksize) used in skb management. When kfence is active, the assertion that two kmalloc allocations of the same size yield buffers with equal ksize no longer holds, leading to inconsistencies in skb buffer size tracking. This can cause the kernel to trigger WARN_ON_ONCE assertions and potentially lead to kernel crashes or memory corruption due to mishandling of skb tailroom and data coalescing in tcp_try_coalesce(). The fix involves splitting skb_unclone_keeptruesize() into an inline fast path for non-cloned skbs and an out-of-line slow path for cloned skbs, ensuring that skb->truesize is preserved correctly and that TCP does not overwrite newly allocated tailroom incorrectly. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes, and it is rooted in core networking code (net/core/skbuff.c and net/ipv4/tcp_input.c). Although no known exploits are reported in the wild, the nature of the flaw suggests it could be triggered by crafted network traffic causing kernel warnings or crashes. This vulnerability requires no user interaction but does require the kernel to be running affected versions with TCP networking enabled. It is a low-level kernel memory management flaw that could impact system stability and reliability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernel versions, especially those handling high volumes of TCP traffic such as web servers, application servers, and network appliances. Exploitation could lead to kernel panics or denial of service (DoS) conditions, disrupting critical services and potentially causing downtime. While there is no evidence of privilege escalation or remote code execution, the instability caused by this flaw could be leveraged in multi-stage attacks or combined with other vulnerabilities. Organizations relying on Linux-based cloud infrastructure, data centers, or embedded devices in telecommunications could face operational disruptions. The impact is heightened in environments with strict uptime requirements or where kernel crashes trigger failover or recovery procedures that may not be seamless. Additionally, the presence of kfence (a kernel memory debugging feature) in some deployments might increase the likelihood of triggering this issue during testing or production runs. Given the widespread use of Linux in European IT environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and critical infrastructure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where this flaw is patched. Since the vulnerability is in core kernel networking code, applying official kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) is essential. Organizations should: 1) Audit their Linux kernel versions and identify systems running affected commits or versions. 2) Deploy kernel updates promptly, especially on servers exposed to untrusted networks. 3) If immediate patching is not feasible, consider disabling kfence or kernel debugging features in production environments to reduce the chance of triggering the assertion, though this is a temporary workaround and reduces memory error detection capabilities. 4) Monitor kernel logs for WARN_ON_ONCE or skb_try_coalesce warnings that could indicate attempts to trigger the vulnerability. 5) Employ network segmentation and firewall rules to limit exposure of vulnerable systems to untrusted traffic sources. 6) Test kernel updates in staging environments to ensure stability and compatibility with existing applications. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patches and exploit developments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49142: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: preserve skb_end_offset() in skb_unclone_keeptruesize() syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issues in the blamed commits, but forgot that TCP was possibly shifting data after skb_unclone_keeptruesize() has been used, notably from tcp_retrans_try_collapse(). So we not only need to keep same skb->truesize value, we also need to make sure TCP wont fill new tailroom that pskb_expand_head() was able to get from a addr = kmalloc(...) followed by ksize(addr) Split skb_unclone_keeptruesize() into two parts: 1) Inline skb_unclone_keeptruesize() for the common case, when skb is not cloned. 2) Out of line __skb_unclone_keeptruesize() for the 'slow path'. WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Modules linked in: CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa RSP: 0018:ffffc900063af268 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000 RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003 RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000 R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8 R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155 FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline] tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630 tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914 tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025 tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947 tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719 sk_backlog_rcv include/net/sock.h:1037 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2779 release_sock+0x54/0x1b0 net/core/sock.c:3311 sk_wait_data+0x177/0x450 net/core/sock.c:2821 tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457 tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572 inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2022-49142 is a vulnerability in the Linux kernel's networking stack, specifically related to the handling of socket buffers (sk_buff or skb) in the TCP implementation. The issue arises from improper preservation of the skb's true size (skb->truesize) during skb cloning and data shifting operations, particularly in the function skb_unclone_keeptruesize() and its interaction with TCP retransmission logic in tcp_retrans_try_collapse(). The vulnerability was discovered through syzbot fuzzing and is linked to the kernel's kfence memory error detection mechanism, which invalidates certain assumptions about memory allocation sizes (ksize) used in skb management. When kfence is active, the assertion that two kmalloc allocations of the same size yield buffers with equal ksize no longer holds, leading to inconsistencies in skb buffer size tracking. This can cause the kernel to trigger WARN_ON_ONCE assertions and potentially lead to kernel crashes or memory corruption due to mishandling of skb tailroom and data coalescing in tcp_try_coalesce(). The fix involves splitting skb_unclone_keeptruesize() into an inline fast path for non-cloned skbs and an out-of-line slow path for cloned skbs, ensuring that skb->truesize is preserved correctly and that TCP does not overwrite newly allocated tailroom incorrectly. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes, and it is rooted in core networking code (net/core/skbuff.c and net/ipv4/tcp_input.c). Although no known exploits are reported in the wild, the nature of the flaw suggests it could be triggered by crafted network traffic causing kernel warnings or crashes. This vulnerability requires no user interaction but does require the kernel to be running affected versions with TCP networking enabled. It is a low-level kernel memory management flaw that could impact system stability and reliability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernel versions, especially those handling high volumes of TCP traffic such as web servers, application servers, and network appliances. Exploitation could lead to kernel panics or denial of service (DoS) conditions, disrupting critical services and potentially causing downtime. While there is no evidence of privilege escalation or remote code execution, the instability caused by this flaw could be leveraged in multi-stage attacks or combined with other vulnerabilities. Organizations relying on Linux-based cloud infrastructure, data centers, or embedded devices in telecommunications could face operational disruptions. The impact is heightened in environments with strict uptime requirements or where kernel crashes trigger failover or recovery procedures that may not be seamless. Additionally, the presence of kfence (a kernel memory debugging feature) in some deployments might increase the likelihood of triggering this issue during testing or production runs. Given the widespread use of Linux in European IT environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and critical infrastructure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize updating their Linux kernels to versions where this flaw is patched. Since the vulnerability is in core kernel networking code, applying official kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) is essential. Organizations should: 1) Audit their Linux kernel versions and identify systems running affected commits or versions. 2) Deploy kernel updates promptly, especially on servers exposed to untrusted networks. 3) If immediate patching is not feasible, consider disabling kfence or kernel debugging features in production environments to reduce the chance of triggering the assertion, though this is a temporary workaround and reduces memory error detection capabilities. 4) Monitor kernel logs for WARN_ON_ONCE or skb_try_coalesce warnings that could indicate attempts to trigger the vulnerability. 5) Employ network segmentation and firewall rules to limit exposure of vulnerable systems to untrusted traffic sources. 6) Test kernel updates in staging environments to ensure stability and compatibility with existing applications. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patches and exploit developments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.269Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd5f0
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/28/2025, 12:26:24 AM
Last updated: 8/8/2025, 2:31:50 PM
Views: 14
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.