CVE-2022-49443: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: list: fix a data-race around ep->rdllist ep_poll() first calls ep_events_available() with no lock held and checks if ep->rdllist is empty by list_empty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing. Note INIT_LIST_HEAD_RCU() already has the annotation for both prev and next. Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") added the first lockless ep_events_available(), and commit c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") made some ep_events_available() calls lockless and added single call under a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") made the last ep_events_available() lockless. BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0: INIT_LIST_HEAD include/linux/list.h:38 [inline] list_splice_init include/linux/list.h:492 [inline] ep_start_scan fs/eventpoll.c:622 [inline] ep_send_events fs/eventpoll.c:1656 [inline] ep_poll fs/eventpoll.c:1806 [inline] do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1: list_empty_careful include/linux/list.h:329 [inline] ep_events_available fs/eventpoll.c:381 [inline] ep_poll fs/eventpoll.c:1797 [inline] do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffff88810480c7d0 -> 0xffff888103c15098 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI Analysis
Technical Summary
CVE-2022-49443 is a concurrency vulnerability in the Linux kernel's epoll subsystem, specifically related to a data race condition around the ep->rdllist linked list used in event polling. The issue arises because epoll's ep_poll() function calls ep_events_available() without holding a lock, and ep_events_available() checks if ep->rdllist is empty by reading the rdllist->prev pointer. This read operation is not properly synchronized with concurrent writes, leading to potential store/load tearing and data races. The vulnerability was introduced through a series of commits that progressively made ep_events_available() lockless to improve performance, but inadvertently removed necessary synchronization protections. The Kernel Concurrency Sanitizer (KCSAN) detected this data race during testing, indicating that concurrent tasks can simultaneously read and write to the same memory location without proper locking, which can cause undefined behavior, memory corruption, or kernel crashes. The vulnerability affects Linux kernel versions around 5.17.0-rc7 and likely other versions containing the implicated commits. Although no known exploits are reported in the wild, the flaw undermines the integrity and stability of the kernel's event polling mechanism, which is critical for efficient I/O multiplexing in many applications and services. The root cause is a missing lock or synchronization primitive protecting accesses to the ep->rdllist list structure during epoll wait operations, which can lead to race conditions between kernel threads or processes invoking epoll-related syscalls concurrently.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are common in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service), data corruption, or unpredictable behavior in applications relying on epoll for event notification. This can disrupt critical services such as web servers, databases, and network appliances. Given Linux's widespread use in European data centers and cloud environments, the vulnerability could impact availability and reliability of IT infrastructure. Although exploitation does not appear straightforward and no public exploits exist, the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities to escalate privileges or cause system instability. The lack of authentication or user interaction requirements means that local unprivileged users or compromised processes could potentially trigger the race condition, increasing the attack surface. Organizations in sectors with high availability requirements, such as finance, telecommunications, and public services, may face operational risks if affected systems are not patched promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue stems from missing synchronization in the epoll subsystem, applying vendor-provided kernel updates or backported patches is the most effective mitigation. For environments where immediate patching is not feasible, organizations should restrict untrusted local user access to systems running vulnerable kernels to reduce the risk of exploitation. Monitoring kernel logs for unusual epoll-related errors or crashes can help detect attempts to trigger the race condition. Additionally, employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Control Flow Integrity (CFI), and enabling Kernel Concurrency Sanitizer (KCSAN) in testing environments can aid in early detection of concurrency issues. For cloud and containerized environments, ensuring that host kernels are up to date and limiting container privileges can reduce exposure. Finally, organizations should maintain robust incident response plans to quickly address potential kernel-level compromises or service disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49443: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: list: fix a data-race around ep->rdllist ep_poll() first calls ep_events_available() with no lock held and checks if ep->rdllist is empty by list_empty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing. Note INIT_LIST_HEAD_RCU() already has the annotation for both prev and next. Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") added the first lockless ep_events_available(), and commit c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") made some ep_events_available() calls lockless and added single call under a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") made the last ep_events_available() lockless. BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0: INIT_LIST_HEAD include/linux/list.h:38 [inline] list_splice_init include/linux/list.h:492 [inline] ep_start_scan fs/eventpoll.c:622 [inline] ep_send_events fs/eventpoll.c:1656 [inline] ep_poll fs/eventpoll.c:1806 [inline] do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1: list_empty_careful include/linux/list.h:329 [inline] ep_events_available fs/eventpoll.c:381 [inline] ep_poll fs/eventpoll.c:1797 [inline] do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffff88810480c7d0 -> 0xffff888103c15098 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI-Powered Analysis
Technical Analysis
CVE-2022-49443 is a concurrency vulnerability in the Linux kernel's epoll subsystem, specifically related to a data race condition around the ep->rdllist linked list used in event polling. The issue arises because epoll's ep_poll() function calls ep_events_available() without holding a lock, and ep_events_available() checks if ep->rdllist is empty by reading the rdllist->prev pointer. This read operation is not properly synchronized with concurrent writes, leading to potential store/load tearing and data races. The vulnerability was introduced through a series of commits that progressively made ep_events_available() lockless to improve performance, but inadvertently removed necessary synchronization protections. The Kernel Concurrency Sanitizer (KCSAN) detected this data race during testing, indicating that concurrent tasks can simultaneously read and write to the same memory location without proper locking, which can cause undefined behavior, memory corruption, or kernel crashes. The vulnerability affects Linux kernel versions around 5.17.0-rc7 and likely other versions containing the implicated commits. Although no known exploits are reported in the wild, the flaw undermines the integrity and stability of the kernel's event polling mechanism, which is critical for efficient I/O multiplexing in many applications and services. The root cause is a missing lock or synchronization primitive protecting accesses to the ep->rdllist list structure during epoll wait operations, which can lead to race conditions between kernel threads or processes invoking epoll-related syscalls concurrently.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are common in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service), data corruption, or unpredictable behavior in applications relying on epoll for event notification. This can disrupt critical services such as web servers, databases, and network appliances. Given Linux's widespread use in European data centers and cloud environments, the vulnerability could impact availability and reliability of IT infrastructure. Although exploitation does not appear straightforward and no public exploits exist, the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities to escalate privileges or cause system instability. The lack of authentication or user interaction requirements means that local unprivileged users or compromised processes could potentially trigger the race condition, increasing the attack surface. Organizations in sectors with high availability requirements, such as finance, telecommunications, and public services, may face operational risks if affected systems are not patched promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue stems from missing synchronization in the epoll subsystem, applying vendor-provided kernel updates or backported patches is the most effective mitigation. For environments where immediate patching is not feasible, organizations should restrict untrusted local user access to systems running vulnerable kernels to reduce the risk of exploitation. Monitoring kernel logs for unusual epoll-related errors or crashes can help detect attempts to trigger the race condition. Additionally, employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Control Flow Integrity (CFI), and enabling Kernel Concurrency Sanitizer (KCSAN) in testing environments can aid in early detection of concurrency issues. For cloud and containerized environments, ensuring that host kernels are up to date and limiting container privileges can reduce exposure. Finally, organizations should maintain robust incident response plans to quickly address potential kernel-level compromises or service disruptions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.571Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5a47
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 7:25:31 AM
Last updated: 8/1/2025, 9:48:19 PM
Views: 15
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.