CVE-2022-49198: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb Got crash when doing pressure test of mptcp: =========================================================================== dst_release: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 Oops: 0011 [#1] SMP PTI CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 Call Trace: ? skb_release_head_state+0x68/0x100 ? skb_release_all+0xe/0x30 ? kfree_skb+0x32/0xa0 ? mptcp_sendmsg_frag+0x57e/0x750 ? __mptcp_retrans+0x21b/0x3c0 ? __switch_to_asm+0x35/0x70 ? mptcp_worker+0x25e/0x320 ? process_one_work+0x1a7/0x360 ? worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 ? kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ? ret_from_fork+0x35/0x40 =========================================================================== In __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will be initialized, in under memory pressure situation sk_wmem_schedule will return false and then kfree_skb. In this case skb->_skb_refdst is not null because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and kfree_skb will try to release dst and cause crash.
AI Analysis
Technical Summary
CVE-2022-49198 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), a protocol extension that allows a single TCP connection to use multiple paths to maximize resource usage and increase redundancy. The flaw arises from improper handling of socket buffer (skb) memory during transmission under memory pressure conditions. Specifically, when the kernel allocates a transmission skb in the __mptcp_alloc_tx_skb function, it initializes the tcp_tsorted_anchor structure within the skb. However, if the system is under memory pressure, the function sk_wmem_schedule may fail, triggering a call to kfree_skb to free the skb. Because skb->_skb_refdst and tcp_tsorted_anchor share the same memory, kfree_skb attempts to release a destination reference that has already been freed or is in an inconsistent state, leading to a kernel crash (kernel panic) due to a use-after-free or double free scenario. The crash manifests as a kernel paging request error and an invalid reference count on the destination object, as evidenced by the kernel oops logs. This vulnerability can be triggered during stress or pressure testing of MPTCP connections, causing denial of service (DoS) by crashing the kernel. While no known exploits are reported in the wild, the vulnerability is significant because it affects the core Linux kernel networking stack, potentially impacting any system using MPTCP. The issue was resolved by correcting the order of initialization and release of tcp_tsorted_anchor and skb references to prevent premature freeing and consequent crashes.
Potential Impact
For European organizations, the impact of CVE-2022-49198 primarily involves potential denial of service conditions on Linux-based systems utilizing MPTCP. This includes servers, network appliances, and cloud infrastructure that leverage MPTCP for enhanced network resilience and throughput. A kernel crash can lead to system downtime, loss of availability of critical services, and potential disruption of business operations. In environments where high availability is essential—such as financial institutions, telecommunications providers, and critical infrastructure operators—such disruptions could have significant operational and reputational consequences. Additionally, while no direct code execution or privilege escalation is indicated, repeated crashes could be leveraged by attackers to cause persistent denial of service or to create conditions favorable for further exploitation. European organizations relying on Linux kernels with affected versions, especially those deploying MPTCP in production or testing environments, should be aware of the risk of unexpected system crashes under network load or memory pressure.
Mitigation Recommendations
To mitigate CVE-2022-49198, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the fix for the skb and tcp_tsorted_anchor handling is included. 2) Audit and monitor systems that utilize MPTCP, particularly those under heavy network load or memory pressure, to detect abnormal kernel crashes or oops messages indicative of this issue. 3) If immediate patching is not feasible, consider disabling MPTCP functionality temporarily to prevent triggering the vulnerability, especially in production environments. 4) Implement robust kernel crash recovery and monitoring mechanisms to minimize downtime and facilitate rapid incident response. 5) Conduct thorough testing of network stack behavior under stress conditions in controlled environments to identify any residual instability. 6) Maintain up-to-date inventories of Linux kernel versions deployed across infrastructure to prioritize patching efforts effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2022-49198: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb Got crash when doing pressure test of mptcp: =========================================================================== dst_release: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 Oops: 0011 [#1] SMP PTI CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 Call Trace: ? skb_release_head_state+0x68/0x100 ? skb_release_all+0xe/0x30 ? kfree_skb+0x32/0xa0 ? mptcp_sendmsg_frag+0x57e/0x750 ? __mptcp_retrans+0x21b/0x3c0 ? __switch_to_asm+0x35/0x70 ? mptcp_worker+0x25e/0x320 ? process_one_work+0x1a7/0x360 ? worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 ? kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ? ret_from_fork+0x35/0x40 =========================================================================== In __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will be initialized, in under memory pressure situation sk_wmem_schedule will return false and then kfree_skb. In this case skb->_skb_refdst is not null because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and kfree_skb will try to release dst and cause crash.
AI-Powered Analysis
Technical Analysis
CVE-2022-49198 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), a protocol extension that allows a single TCP connection to use multiple paths to maximize resource usage and increase redundancy. The flaw arises from improper handling of socket buffer (skb) memory during transmission under memory pressure conditions. Specifically, when the kernel allocates a transmission skb in the __mptcp_alloc_tx_skb function, it initializes the tcp_tsorted_anchor structure within the skb. However, if the system is under memory pressure, the function sk_wmem_schedule may fail, triggering a call to kfree_skb to free the skb. Because skb->_skb_refdst and tcp_tsorted_anchor share the same memory, kfree_skb attempts to release a destination reference that has already been freed or is in an inconsistent state, leading to a kernel crash (kernel panic) due to a use-after-free or double free scenario. The crash manifests as a kernel paging request error and an invalid reference count on the destination object, as evidenced by the kernel oops logs. This vulnerability can be triggered during stress or pressure testing of MPTCP connections, causing denial of service (DoS) by crashing the kernel. While no known exploits are reported in the wild, the vulnerability is significant because it affects the core Linux kernel networking stack, potentially impacting any system using MPTCP. The issue was resolved by correcting the order of initialization and release of tcp_tsorted_anchor and skb references to prevent premature freeing and consequent crashes.
Potential Impact
For European organizations, the impact of CVE-2022-49198 primarily involves potential denial of service conditions on Linux-based systems utilizing MPTCP. This includes servers, network appliances, and cloud infrastructure that leverage MPTCP for enhanced network resilience and throughput. A kernel crash can lead to system downtime, loss of availability of critical services, and potential disruption of business operations. In environments where high availability is essential—such as financial institutions, telecommunications providers, and critical infrastructure operators—such disruptions could have significant operational and reputational consequences. Additionally, while no direct code execution or privilege escalation is indicated, repeated crashes could be leveraged by attackers to cause persistent denial of service or to create conditions favorable for further exploitation. European organizations relying on Linux kernels with affected versions, especially those deploying MPTCP in production or testing environments, should be aware of the risk of unexpected system crashes under network load or memory pressure.
Mitigation Recommendations
To mitigate CVE-2022-49198, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the fix for the skb and tcp_tsorted_anchor handling is included. 2) Audit and monitor systems that utilize MPTCP, particularly those under heavy network load or memory pressure, to detect abnormal kernel crashes or oops messages indicative of this issue. 3) If immediate patching is not feasible, consider disabling MPTCP functionality temporarily to prevent triggering the vulnerability, especially in production environments. 4) Implement robust kernel crash recovery and monitoring mechanisms to minimize downtime and facilitate rapid incident response. 5) Conduct thorough testing of network stack behavior under stress conditions in controlled environments to identify any residual instability. 6) Maintain up-to-date inventories of Linux kernel versions deployed across infrastructure to prioritize patching efforts effectively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.291Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5219
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 4:10:27 AM
Last updated: 7/26/2025, 8:10:06 AM
Views: 10
Related Threats
CVE-2025-8749: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Mobile Industrial Robots MiR Robots
MediumCVE-2025-8088: CWE-35 Path traversal in win.rar GmbH WinRAR
HighCVE-2025-8748: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Mobile Industrial Robots MiR Robots
HighCVE-2025-53606: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Seata (incubating)
CriticalCVE-2025-48913: CWE-20 Improper Input Validation in Apache Software Foundation Apache CXF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.