CVE-2022-49663: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header was not set") caught a bug in skb_tunnel_check_pmtu(), as shown in this syzbot report [1]. In ndo_start_xmit() paths, there is really no need to use skb->mac_header, because skb->data is supposed to point at it. [1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Modules linked in: CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline] RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00 RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212 RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000 RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003 RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> geneve_xmit_skb drivers/net/geneve.c:927 [inline] geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107 __netdev_start_xmit include/linux/netdevice.h:4805 [inline] netdev_start_xmit include/linux/netdevice.h:4819 [inline] __dev_direct_xmit+0x500/0x730 net/core/dev.c:4309 dev_direct_xmit include/linux/netdevice.h:3007 [inline] packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282 packet_snd net/packet/af_packet.c:3073 [inline] packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2489 ___sys_sendmsg+0xf3/0x170 net/socket.c:2543 __sys_sendmsg net/socket.c:2572 [inline] __do_sys_sendmsg net/socket.c:2581 [inline] __se_sys_sendmsg net/socket.c:2579 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3baaa89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109 RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003 RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000 </TASK>
AI Analysis
Technical Summary
CVE-2022-49663 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the tunnel handling code. The issue arises from the function skb_tunnel_check_pmtu(), which incorrectly assumes that the MAC header is always set in the socket buffer (skb) structure. This assumption was challenged by a debug warning introduced in a recent kernel commit, which revealed that skb->mac_header may not be set as expected. The vulnerability is rooted in the ndo_start_xmit() transmission paths where skb->mac_header is accessed unnecessarily, as skb->data should already point to the MAC header. This incorrect assumption can lead to kernel warnings and potentially undefined behavior during packet transmission in tunneling protocols such as GENEVE. The vulnerability was detected through syzbot fuzzing reports, indicating a kernel crash or warning triggered by malformed or unexpected network packets. Although no direct exploit in the wild has been reported, the flaw could be leveraged by an attacker with the ability to send crafted packets to a vulnerable system, potentially causing denial of service (DoS) conditions due to kernel warnings or crashes. The issue affects Linux kernel versions identified by the commit hashes provided, and it is relevant to environments using Linux networking tunnels, which are common in cloud infrastructure, virtualized environments, and container networking. No CVSS score has been assigned yet, and no patches or exploit code are currently publicly available, but the vulnerability has been officially published and reserved in the Linux vulnerability database.
Potential Impact
For European organizations, the impact of CVE-2022-49663 primarily revolves around the stability and reliability of Linux-based systems that utilize network tunneling protocols. Many enterprises, cloud providers, and telecommunications companies in Europe rely heavily on Linux kernels for their infrastructure, including virtual private networks (VPNs), software-defined networking (SDN), and container orchestration platforms that use tunneling for network isolation and traffic encapsulation. Exploitation could lead to kernel warnings or crashes, resulting in denial of service conditions that disrupt network connectivity and critical services. This could affect data centers, cloud services, and enterprise networks, potentially causing downtime and impacting business continuity. Although there is no evidence of privilege escalation or remote code execution, the DoS potential could be exploited by attackers to degrade service availability. Given the widespread use of Linux in European critical infrastructure and cloud environments, this vulnerability poses a moderate risk that requires timely mitigation to avoid operational disruptions.
Mitigation Recommendations
To mitigate CVE-2022-49663, European organizations should: 1) Apply the latest Linux kernel updates and patches as soon as they become available from trusted sources or Linux distribution vendors, since the vulnerability is addressed by correcting the skb->mac_header assumption in the kernel code. 2) Monitor kernel logs for warnings related to skb_mac_header_len or skb_tunnel_check_pmtu to detect potential exploitation attempts or instability. 3) Restrict network access to systems running vulnerable kernel versions, especially limiting exposure to untrusted networks where crafted packets could be sent. 4) Employ network-level filtering and intrusion detection systems to identify and block suspicious tunneled traffic patterns that could trigger the vulnerability. 5) For cloud and virtualized environments, ensure hypervisor and container orchestration platforms are updated and configured to minimize exposure of vulnerable kernel networking paths. 6) Engage with Linux distribution security advisories and subscribe to vulnerability feeds to stay informed about patch releases and exploit developments. These steps go beyond generic advice by focusing on proactive monitoring, network access control, and integration with existing security infrastructure to reduce risk.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2022-49663: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header was not set") caught a bug in skb_tunnel_check_pmtu(), as shown in this syzbot report [1]. In ndo_start_xmit() paths, there is really no need to use skb->mac_header, because skb->data is supposed to point at it. [1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Modules linked in: CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline] RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413 Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00 RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212 RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000 RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003 RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> geneve_xmit_skb drivers/net/geneve.c:927 [inline] geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107 __netdev_start_xmit include/linux/netdevice.h:4805 [inline] netdev_start_xmit include/linux/netdevice.h:4819 [inline] __dev_direct_xmit+0x500/0x730 net/core/dev.c:4309 dev_direct_xmit include/linux/netdevice.h:3007 [inline] packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282 packet_snd net/packet/af_packet.c:3073 [inline] packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2489 ___sys_sendmsg+0xf3/0x170 net/socket.c:2543 __sys_sendmsg net/socket.c:2572 [inline] __do_sys_sendmsg net/socket.c:2581 [inline] __se_sys_sendmsg net/socket.c:2579 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3baaa89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109 RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003 RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-49663 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the tunnel handling code. The issue arises from the function skb_tunnel_check_pmtu(), which incorrectly assumes that the MAC header is always set in the socket buffer (skb) structure. This assumption was challenged by a debug warning introduced in a recent kernel commit, which revealed that skb->mac_header may not be set as expected. The vulnerability is rooted in the ndo_start_xmit() transmission paths where skb->mac_header is accessed unnecessarily, as skb->data should already point to the MAC header. This incorrect assumption can lead to kernel warnings and potentially undefined behavior during packet transmission in tunneling protocols such as GENEVE. The vulnerability was detected through syzbot fuzzing reports, indicating a kernel crash or warning triggered by malformed or unexpected network packets. Although no direct exploit in the wild has been reported, the flaw could be leveraged by an attacker with the ability to send crafted packets to a vulnerable system, potentially causing denial of service (DoS) conditions due to kernel warnings or crashes. The issue affects Linux kernel versions identified by the commit hashes provided, and it is relevant to environments using Linux networking tunnels, which are common in cloud infrastructure, virtualized environments, and container networking. No CVSS score has been assigned yet, and no patches or exploit code are currently publicly available, but the vulnerability has been officially published and reserved in the Linux vulnerability database.
Potential Impact
For European organizations, the impact of CVE-2022-49663 primarily revolves around the stability and reliability of Linux-based systems that utilize network tunneling protocols. Many enterprises, cloud providers, and telecommunications companies in Europe rely heavily on Linux kernels for their infrastructure, including virtual private networks (VPNs), software-defined networking (SDN), and container orchestration platforms that use tunneling for network isolation and traffic encapsulation. Exploitation could lead to kernel warnings or crashes, resulting in denial of service conditions that disrupt network connectivity and critical services. This could affect data centers, cloud services, and enterprise networks, potentially causing downtime and impacting business continuity. Although there is no evidence of privilege escalation or remote code execution, the DoS potential could be exploited by attackers to degrade service availability. Given the widespread use of Linux in European critical infrastructure and cloud environments, this vulnerability poses a moderate risk that requires timely mitigation to avoid operational disruptions.
Mitigation Recommendations
To mitigate CVE-2022-49663, European organizations should: 1) Apply the latest Linux kernel updates and patches as soon as they become available from trusted sources or Linux distribution vendors, since the vulnerability is addressed by correcting the skb->mac_header assumption in the kernel code. 2) Monitor kernel logs for warnings related to skb_mac_header_len or skb_tunnel_check_pmtu to detect potential exploitation attempts or instability. 3) Restrict network access to systems running vulnerable kernel versions, especially limiting exposure to untrusted networks where crafted packets could be sent. 4) Employ network-level filtering and intrusion detection systems to identify and block suspicious tunneled traffic patterns that could trigger the vulnerability. 5) For cloud and virtualized environments, ensure hypervisor and container orchestration platforms are updated and configured to minimize exposure of vulnerable kernel networking paths. 6) Engage with Linux distribution security advisories and subscribe to vulnerability feeds to stay informed about patch releases and exploit developments. These steps go beyond generic advice by focusing on proactive monitoring, network access control, and integration with existing security infrastructure to reduce risk.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.435Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4795
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/29/2025, 11:56:24 PM
Last updated: 8/14/2025, 5:11:37 PM
Views: 16
Related Threats
CVE-2025-8193
UnknownCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.