CVE-2022-49372: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: tcp_rtx_synack() can be called from process context Laurent reported the enclosed report [1] This bug triggers with following coditions: 0) Kernel built with CONFIG_DEBUG_PREEMPT=y 1) A new passive FastOpen TCP socket is created. This FO socket waits for an ACK coming from client to be a complete ESTABLISHED one. 2) A socket operation on this socket goes through lock_sock() release_sock() dance. 3) While the socket is owned by the user in step 2), a retransmit of the SYN is received and stored in socket backlog. 4) At release_sock() time, the socket backlog is processed while in process context. 5) A SYNACK packet is cooked in response of the SYN retransmit. 6) -> tcp_rtx_synack() is called in process context. Before blamed commit, tcp_rtx_synack() was always called from BH handler, from a timer handler. Fix this by using TCP_INC_STATS() & NET_INC_STATS() which do not assume caller is in non preemptible context. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: <TASK> dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2022-49372 is a vulnerability identified in the Linux kernel's TCP stack, specifically involving the function tcp_rtx_synack(). This function is responsible for retransmitting SYN-ACK packets during the TCP three-way handshake process. The vulnerability arises under specific conditions when the kernel is built with the CONFIG_DEBUG_PREEMPT=y option enabled, which allows kernel preemption for debugging purposes. The issue occurs when a passive FastOpen (FO) TCP socket is created and waits for an ACK from a client to establish a connection. During a socket operation that involves locking and releasing the socket (lock_sock() and release_sock()), if a SYN retransmission is received and stored in the socket backlog, the backlog is processed during the release_sock() call while still in process context. This leads to tcp_rtx_synack() being called in process context rather than in a bottom half (BH) or timer handler context as originally designed. The problem is that tcp_rtx_synack() uses __this_cpu_add(), which assumes it is running in a non-preemptible context. When called in a preemptible context, this causes kernel bugs such as preemption errors and potential instability or crashes. The fix implemented involves replacing the problematic statistics increment macros with TCP_INC_STATS() and NET_INC_STATS(), which are safe to use in preemptible contexts. This vulnerability does not appear to have known exploits in the wild and requires the kernel to be compiled with a specific debug preemption option, limiting its exposure somewhat. However, it highlights a subtle concurrency and context assumption bug in the TCP stack's handling of SYN retransmissions under FastOpen sockets in debug-preemptible kernels.
Potential Impact
For European organizations, the impact of CVE-2022-49372 primarily relates to system stability and reliability rather than direct compromise or data breach. Affected Linux systems compiled with CONFIG_DEBUG_PREEMPT=y and using TCP FastOpen could experience kernel crashes or instability due to improper handling of SYN retransmissions. This could lead to denial of service (DoS) conditions on critical servers, especially those handling high volumes of TCP connections or using FastOpen for performance optimization. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting kernel panics or crashes could disrupt services, impacting availability of critical infrastructure such as web servers, application servers, or network appliances running Linux. European organizations relying on custom or debug kernel builds with this configuration, particularly in development, testing, or specialized production environments, are at risk. The lack of known exploits and the requirement for a debug preemptible kernel build reduce the likelihood of widespread exploitation. However, the vulnerability underscores the importance of careful kernel configuration and patching to maintain system stability. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, any kernel instability can have cascading effects on service delivery and operational continuity.
Mitigation Recommendations
1. Verify Kernel Configuration: European organizations should audit their Linux kernel builds to determine if CONFIG_DEBUG_PREEMPT=y is enabled. This option is typically used for debugging and is not common in production environments. 2. Apply Kernel Updates: Deploy the patched Linux kernel versions that replace unsafe statistics macros with safe alternatives (TCP_INC_STATS() and NET_INC_STATS()). Monitor vendor advisories and update kernels promptly. 3. Avoid Debug Preemptible Kernels in Production: Restrict the use of debug preemptible kernel builds to development and testing environments only. Production systems should use stable, non-debug kernel configurations. 4. Disable TCP FastOpen if Not Required: If TCP FastOpen is not essential, consider disabling it to reduce the attack surface related to this vulnerability. 5. Monitor System Logs: Implement monitoring for kernel warnings or preemption-related errors that could indicate attempts to trigger this bug. 6. Test Kernel Upgrades: Before deploying kernel patches broadly, conduct thorough testing in staging environments to ensure stability and compatibility. 7. Network Controls: Employ network-level protections to limit unsolicited SYN retransmissions from untrusted sources, reducing the chance of triggering the vulnerability. 8. Incident Response Preparedness: Prepare for potential service disruptions by having rollback plans and redundancy for critical Linux-based services.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Italy, Spain
CVE-2022-49372: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: tcp_rtx_synack() can be called from process context Laurent reported the enclosed report [1] This bug triggers with following coditions: 0) Kernel built with CONFIG_DEBUG_PREEMPT=y 1) A new passive FastOpen TCP socket is created. This FO socket waits for an ACK coming from client to be a complete ESTABLISHED one. 2) A socket operation on this socket goes through lock_sock() release_sock() dance. 3) While the socket is owned by the user in step 2), a retransmit of the SYN is received and stored in socket backlog. 4) At release_sock() time, the socket backlog is processed while in process context. 5) A SYNACK packet is cooked in response of the SYN retransmit. 6) -> tcp_rtx_synack() is called in process context. Before blamed commit, tcp_rtx_synack() was always called from BH handler, from a timer handler. Fix this by using TCP_INC_STATS() & NET_INC_STATS() which do not assume caller is in non preemptible context. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: <TASK> dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2022-49372 is a vulnerability identified in the Linux kernel's TCP stack, specifically involving the function tcp_rtx_synack(). This function is responsible for retransmitting SYN-ACK packets during the TCP three-way handshake process. The vulnerability arises under specific conditions when the kernel is built with the CONFIG_DEBUG_PREEMPT=y option enabled, which allows kernel preemption for debugging purposes. The issue occurs when a passive FastOpen (FO) TCP socket is created and waits for an ACK from a client to establish a connection. During a socket operation that involves locking and releasing the socket (lock_sock() and release_sock()), if a SYN retransmission is received and stored in the socket backlog, the backlog is processed during the release_sock() call while still in process context. This leads to tcp_rtx_synack() being called in process context rather than in a bottom half (BH) or timer handler context as originally designed. The problem is that tcp_rtx_synack() uses __this_cpu_add(), which assumes it is running in a non-preemptible context. When called in a preemptible context, this causes kernel bugs such as preemption errors and potential instability or crashes. The fix implemented involves replacing the problematic statistics increment macros with TCP_INC_STATS() and NET_INC_STATS(), which are safe to use in preemptible contexts. This vulnerability does not appear to have known exploits in the wild and requires the kernel to be compiled with a specific debug preemption option, limiting its exposure somewhat. However, it highlights a subtle concurrency and context assumption bug in the TCP stack's handling of SYN retransmissions under FastOpen sockets in debug-preemptible kernels.
Potential Impact
For European organizations, the impact of CVE-2022-49372 primarily relates to system stability and reliability rather than direct compromise or data breach. Affected Linux systems compiled with CONFIG_DEBUG_PREEMPT=y and using TCP FastOpen could experience kernel crashes or instability due to improper handling of SYN retransmissions. This could lead to denial of service (DoS) conditions on critical servers, especially those handling high volumes of TCP connections or using FastOpen for performance optimization. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting kernel panics or crashes could disrupt services, impacting availability of critical infrastructure such as web servers, application servers, or network appliances running Linux. European organizations relying on custom or debug kernel builds with this configuration, particularly in development, testing, or specialized production environments, are at risk. The lack of known exploits and the requirement for a debug preemptible kernel build reduce the likelihood of widespread exploitation. However, the vulnerability underscores the importance of careful kernel configuration and patching to maintain system stability. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, any kernel instability can have cascading effects on service delivery and operational continuity.
Mitigation Recommendations
1. Verify Kernel Configuration: European organizations should audit their Linux kernel builds to determine if CONFIG_DEBUG_PREEMPT=y is enabled. This option is typically used for debugging and is not common in production environments. 2. Apply Kernel Updates: Deploy the patched Linux kernel versions that replace unsafe statistics macros with safe alternatives (TCP_INC_STATS() and NET_INC_STATS()). Monitor vendor advisories and update kernels promptly. 3. Avoid Debug Preemptible Kernels in Production: Restrict the use of debug preemptible kernel builds to development and testing environments only. Production systems should use stable, non-debug kernel configurations. 4. Disable TCP FastOpen if Not Required: If TCP FastOpen is not essential, consider disabling it to reduce the attack surface related to this vulnerability. 5. Monitor System Logs: Implement monitoring for kernel warnings or preemption-related errors that could indicate attempts to trigger this bug. 6. Test Kernel Upgrades: Before deploying kernel patches broadly, conduct thorough testing in staging environments to ensure stability and compatibility. 7. Network Controls: Employ network-level protections to limit unsolicited SYN retransmissions from untrusted sources, reducing the chance of triggering the vulnerability. 8. Incident Response Preparedness: Prepare for potential service disruptions by having rollback plans and redundancy for critical Linux-based services.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.555Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5808
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 6:29:04 AM
Last updated: 8/17/2025, 4:55:44 PM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.