CVE-2022-49204: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix more uncharged while msg has more_data In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: <TASK> inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK> WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2022-49204 is a vulnerability in the Linux kernel related to the BPF (Berkeley Packet Filter) sockmap implementation, specifically within the tcp_bpf_send_verdict() function. The issue arises from improper accounting of socket buffer sizes (msg->sg.size) when handling redirected TCP messages. During the execution of tcp_bpf_send_verdict(), the msg->sg.size field is decremented twice without proper recharging, leading to an uncharged state of the socket buffer allocation. This flaw can cause kernel warnings and potentially destabilize the networking stack, as evidenced by kernel warnings such as sk_stream_kill_queues and inet_sock_destruct in the call traces. The root cause is a logic error in managing the sk_forward_alloc accounting when messages have more data after tcp_bpf_sendmsg_redir(), resulting in double uncharging of the buffer size. This can lead to resource mismanagement, which may cause denial of service (DoS) conditions due to kernel crashes or memory corruption. The vulnerability affects Linux kernel versions identified by the commit hash 604326b41a6fb9b4a78b6179335decee0365cd8c and similar versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, impacting the kernel's networking subsystem, particularly BPF sockmap functionality used in advanced packet processing and redirection scenarios.
Potential Impact
For European organizations, the impact of CVE-2022-49204 could be significant in environments relying heavily on Linux-based infrastructure, especially those utilizing advanced networking features such as BPF sockmaps for packet filtering, load balancing, or network function virtualization. A successful exploitation or triggering of this vulnerability could lead to kernel instability, causing denial of service through crashes or resource exhaustion. This could disrupt critical services, including web servers, cloud platforms, telecommunications infrastructure, and container orchestration systems that depend on Linux kernels with affected versions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. Although no active exploits are known, the potential for DoS conditions and kernel panics could lead to operational downtime, impacting business continuity and service availability. Additionally, kernel instability might open avenues for further exploitation or privilege escalation if combined with other vulnerabilities, increasing the risk profile for affected organizations.
Mitigation Recommendations
To mitigate CVE-2022-49204, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted Linux distributions or the upstream Linux kernel repository. 2) Conduct an inventory of systems running affected kernel versions, prioritizing those using BPF sockmap features or advanced networking configurations. 3) Implement kernel live patching solutions where possible to minimize downtime while applying critical fixes. 4) Monitor kernel logs for warning messages similar to those described (e.g., sk_stream_kill_queues, inet_sock_destruct) that may indicate attempts to trigger the vulnerability or instability. 5) Restrict access to systems with BPF capabilities to trusted administrators and enforce strict network segmentation to limit exposure. 6) Employ runtime security tools that can detect abnormal kernel behavior or resource mismanagement related to socket buffers. 7) Engage with Linux distribution vendors and security communities to stay informed about patch releases and exploit developments. These measures go beyond generic advice by focusing on proactive patch management, targeted monitoring of kernel warnings, and limiting exposure of vulnerable features in production environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49204: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix more uncharged while msg has more_data In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: <TASK> inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK> WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-49204 is a vulnerability in the Linux kernel related to the BPF (Berkeley Packet Filter) sockmap implementation, specifically within the tcp_bpf_send_verdict() function. The issue arises from improper accounting of socket buffer sizes (msg->sg.size) when handling redirected TCP messages. During the execution of tcp_bpf_send_verdict(), the msg->sg.size field is decremented twice without proper recharging, leading to an uncharged state of the socket buffer allocation. This flaw can cause kernel warnings and potentially destabilize the networking stack, as evidenced by kernel warnings such as sk_stream_kill_queues and inet_sock_destruct in the call traces. The root cause is a logic error in managing the sk_forward_alloc accounting when messages have more data after tcp_bpf_sendmsg_redir(), resulting in double uncharging of the buffer size. This can lead to resource mismanagement, which may cause denial of service (DoS) conditions due to kernel crashes or memory corruption. The vulnerability affects Linux kernel versions identified by the commit hash 604326b41a6fb9b4a78b6179335decee0365cd8c and similar versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, impacting the kernel's networking subsystem, particularly BPF sockmap functionality used in advanced packet processing and redirection scenarios.
Potential Impact
For European organizations, the impact of CVE-2022-49204 could be significant in environments relying heavily on Linux-based infrastructure, especially those utilizing advanced networking features such as BPF sockmaps for packet filtering, load balancing, or network function virtualization. A successful exploitation or triggering of this vulnerability could lead to kernel instability, causing denial of service through crashes or resource exhaustion. This could disrupt critical services, including web servers, cloud platforms, telecommunications infrastructure, and container orchestration systems that depend on Linux kernels with affected versions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. Although no active exploits are known, the potential for DoS conditions and kernel panics could lead to operational downtime, impacting business continuity and service availability. Additionally, kernel instability might open avenues for further exploitation or privilege escalation if combined with other vulnerabilities, increasing the risk profile for affected organizations.
Mitigation Recommendations
To mitigate CVE-2022-49204, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted Linux distributions or the upstream Linux kernel repository. 2) Conduct an inventory of systems running affected kernel versions, prioritizing those using BPF sockmap features or advanced networking configurations. 3) Implement kernel live patching solutions where possible to minimize downtime while applying critical fixes. 4) Monitor kernel logs for warning messages similar to those described (e.g., sk_stream_kill_queues, inet_sock_destruct) that may indicate attempts to trigger the vulnerability or instability. 5) Restrict access to systems with BPF capabilities to trusted administrators and enforce strict network segmentation to limit exposure. 6) Employ runtime security tools that can detect abnormal kernel behavior or resource mismanagement related to socket buffers. 7) Engage with Linux distribution vendors and security communities to stay informed about patch releases and exploit developments. These measures go beyond generic advice by focusing on proactive patch management, targeted monitoring of kernel warnings, and limiting exposure of vulnerable features in production environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.291Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe525a
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 4:11:46 AM
Last updated: 8/12/2025, 8:26:43 AM
Views: 14
Related Threats
CVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-9026: OS Command Injection in D-Link DIR-860L
MediumCVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumCVE-2025-9024: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2025-9023: Buffer Overflow in Tenda AC7
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.