CVE-2022-49450: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix listen() setting the bar too high for the prealloc rings AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump up the sysctl), but whilst the preallocation circular buffers have 32 slots in them, one of them has to be a dead slot because we're using CIRC_CNT(). This means that listen(rxrpc_sock, 32) will cause an oops when the socket is closed because rxrpc_service_prealloc_one() allocated one too many calls and rxrpc_discard_prealloc() won't then be able to get rid of them because it'll think the ring is empty. rxrpc_release_calls_on_socket() then tries to abort them, but oopses because call->peer isn't yet set. Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match the ring capacity. BUG: kernel NULL pointer dereference, address: 0000000000000086 ... RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc] Call Trace: <TASK> ? __wake_up_common_lock+0x7a/0x90 ? rxrpc_notify_socket+0x8e/0x140 [rxrpc] ? rxrpc_abort_call+0x4c/0x60 [rxrpc] rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc] rxrpc_release+0xc9/0x1c0 [rxrpc] __sock_release+0x37/0xa0 sock_close+0x11/0x20 __fput+0x89/0x240 task_work_run+0x59/0x90 do_exit+0x319/0xaa0
AI Analysis
Technical Summary
CVE-2022-49450 is a vulnerability in the Linux kernel's rxrpc protocol implementation, specifically in the handling of the listen() system call for AF_RXRPC sockets. The issue arises because the listen() handler allows setting the backlog queue size up to 32 (if the sysctl parameter is increased), but the underlying preallocation circular buffers used to manage calls have only 32 slots, with one slot always reserved as a dead slot due to the use of CIRC_CNT(). This discrepancy means that setting the backlog to 32 causes an off-by-one error where one too many calls are preallocated. When the socket is closed, the function rxrpc_service_prealloc_one() allocates an excess call, and rxrpc_discard_prealloc() fails to remove it because it incorrectly believes the ring buffer is empty. Subsequently, rxrpc_release_calls_on_socket() attempts to abort these calls but triggers a kernel NULL pointer dereference because the call's peer pointer is not set. This results in a kernel oops (crash) with a NULL pointer dereference at rxrpc_send_abort_packet(). The vulnerability can be triggered by closing a socket after setting the backlog to 32, causing a denial of service via kernel crash. The root cause is a mismatch between the maximum backlog allowed and the actual ring buffer capacity, which was fixed by limiting the backlog to RXRPC_BACKLOG_MAX - 1 to align with the buffer size. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the given commit hashes, indicating a code-level fix rather than a version number range. This bug can be triggered locally or remotely if an attacker can create and close AF_RXRPC sockets with a high backlog, leading to kernel instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2022-49450 primarily involves potential denial of service conditions on Linux systems utilizing the rxrpc protocol, which is commonly used in distributed computing environments and certain enterprise applications. A successful exploitation could cause kernel crashes, leading to system downtime, loss of availability, and potential disruption of critical services. This is particularly concerning for organizations running Linux-based servers in telecommunications, cloud infrastructure, or enterprise environments where AF_RXRPC sockets are in use. While this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel oops could be leveraged as part of a larger attack chain to disrupt operations or cause instability. Given the widespread use of Linux in European data centers and critical infrastructure, unpatched systems could experience service interruptions. However, the requirement to manipulate the backlog parameter and close sockets suggests that exploitation may require local access or specific network conditions, somewhat limiting the attack surface. Nonetheless, organizations with exposed Linux servers or multi-tenant environments should consider this vulnerability a risk to system stability and availability.
Mitigation Recommendations
To mitigate CVE-2022-49450, European organizations should: 1) Apply the official Linux kernel patches that fix the backlog handling in the rxrpc listen() implementation as soon as they become available from their Linux distribution vendors. 2) Monitor and restrict the use of AF_RXRPC sockets where possible, especially in environments where untrusted users or processes may have the ability to create or manipulate such sockets. 3) Implement kernel crash monitoring and alerting to detect any suspicious kernel oops events related to rxrpc. 4) Limit the sysctl parameters that control the backlog size for rxrpc sockets to prevent setting values that exceed the safe threshold (RXRPC_BACKLOG_MAX - 1). 5) Employ strict access controls and containerization to reduce the risk of local exploitation by unprivileged users. 6) Regularly update Linux kernels to incorporate security fixes and maintain system stability. 7) For critical systems, consider disabling rxrpc support if it is not required, reducing the attack surface. These steps go beyond generic advice by focusing on controlling the specific backlog parameter, monitoring kernel stability, and restricting AF_RXRPC socket usage.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49450: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix listen() setting the bar too high for the prealloc rings AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump up the sysctl), but whilst the preallocation circular buffers have 32 slots in them, one of them has to be a dead slot because we're using CIRC_CNT(). This means that listen(rxrpc_sock, 32) will cause an oops when the socket is closed because rxrpc_service_prealloc_one() allocated one too many calls and rxrpc_discard_prealloc() won't then be able to get rid of them because it'll think the ring is empty. rxrpc_release_calls_on_socket() then tries to abort them, but oopses because call->peer isn't yet set. Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match the ring capacity. BUG: kernel NULL pointer dereference, address: 0000000000000086 ... RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc] Call Trace: <TASK> ? __wake_up_common_lock+0x7a/0x90 ? rxrpc_notify_socket+0x8e/0x140 [rxrpc] ? rxrpc_abort_call+0x4c/0x60 [rxrpc] rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc] rxrpc_release+0xc9/0x1c0 [rxrpc] __sock_release+0x37/0xa0 sock_close+0x11/0x20 __fput+0x89/0x240 task_work_run+0x59/0x90 do_exit+0x319/0xaa0
AI-Powered Analysis
Technical Analysis
CVE-2022-49450 is a vulnerability in the Linux kernel's rxrpc protocol implementation, specifically in the handling of the listen() system call for AF_RXRPC sockets. The issue arises because the listen() handler allows setting the backlog queue size up to 32 (if the sysctl parameter is increased), but the underlying preallocation circular buffers used to manage calls have only 32 slots, with one slot always reserved as a dead slot due to the use of CIRC_CNT(). This discrepancy means that setting the backlog to 32 causes an off-by-one error where one too many calls are preallocated. When the socket is closed, the function rxrpc_service_prealloc_one() allocates an excess call, and rxrpc_discard_prealloc() fails to remove it because it incorrectly believes the ring buffer is empty. Subsequently, rxrpc_release_calls_on_socket() attempts to abort these calls but triggers a kernel NULL pointer dereference because the call's peer pointer is not set. This results in a kernel oops (crash) with a NULL pointer dereference at rxrpc_send_abort_packet(). The vulnerability can be triggered by closing a socket after setting the backlog to 32, causing a denial of service via kernel crash. The root cause is a mismatch between the maximum backlog allowed and the actual ring buffer capacity, which was fixed by limiting the backlog to RXRPC_BACKLOG_MAX - 1 to align with the buffer size. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the given commit hashes, indicating a code-level fix rather than a version number range. This bug can be triggered locally or remotely if an attacker can create and close AF_RXRPC sockets with a high backlog, leading to kernel instability or denial of service.
Potential Impact
For European organizations, the impact of CVE-2022-49450 primarily involves potential denial of service conditions on Linux systems utilizing the rxrpc protocol, which is commonly used in distributed computing environments and certain enterprise applications. A successful exploitation could cause kernel crashes, leading to system downtime, loss of availability, and potential disruption of critical services. This is particularly concerning for organizations running Linux-based servers in telecommunications, cloud infrastructure, or enterprise environments where AF_RXRPC sockets are in use. While this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel oops could be leveraged as part of a larger attack chain to disrupt operations or cause instability. Given the widespread use of Linux in European data centers and critical infrastructure, unpatched systems could experience service interruptions. However, the requirement to manipulate the backlog parameter and close sockets suggests that exploitation may require local access or specific network conditions, somewhat limiting the attack surface. Nonetheless, organizations with exposed Linux servers or multi-tenant environments should consider this vulnerability a risk to system stability and availability.
Mitigation Recommendations
To mitigate CVE-2022-49450, European organizations should: 1) Apply the official Linux kernel patches that fix the backlog handling in the rxrpc listen() implementation as soon as they become available from their Linux distribution vendors. 2) Monitor and restrict the use of AF_RXRPC sockets where possible, especially in environments where untrusted users or processes may have the ability to create or manipulate such sockets. 3) Implement kernel crash monitoring and alerting to detect any suspicious kernel oops events related to rxrpc. 4) Limit the sysctl parameters that control the backlog size for rxrpc sockets to prevent setting values that exceed the safe threshold (RXRPC_BACKLOG_MAX - 1). 5) Employ strict access controls and containerization to reduce the risk of local exploitation by unprivileged users. 6) Regularly update Linux kernels to incorporate security fixes and maintain system stability. 7) For critical systems, consider disabling rxrpc support if it is not required, reducing the attack surface. These steps go beyond generic advice by focusing on controlling the specific backlog parameter, monitoring kernel stability, and restricting AF_RXRPC socket usage.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.572Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5a68
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 7:26:56 AM
Last updated: 8/3/2025, 12:35:06 PM
Views: 11
Related Threats
CVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.