CVE-2022-49669: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race on unaccepted mptcp sockets When the listener socket owning the relevant request is closed, it frees the unaccepted subflows and that causes later deletion of the paired MPTCP sockets. The mptcp socket's worker can run in the time interval between such delete operations. When that happens, any access to msk->first will cause an UaF access, as the subflow cleanup did not cleared such field in the mptcp socket. Address the issue explicitly traversing the listener socket accept queue at close time and performing the needed cleanup on the pending msk. Note that the locking is a bit tricky, as we need to acquire the msk socket lock, while still owning the subflow socket one.
AI Analysis
Technical Summary
CVE-2022-49669 is a high-severity vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP). The flaw arises from a race condition involving unaccepted MPTCP subflow sockets when the listener socket is closed. Specifically, when the listener socket owning a connection request is closed, it frees the unaccepted subflows, which leads to the deletion of paired MPTCP sockets. However, the MPTCP socket's worker thread can still run during the interval between these delete operations. If this occurs, any access to the msk->first field results in a Use-after-Free (UaF) error because the subflow cleanup does not clear this pointer in the MPTCP socket. This UaF can lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial of service by crashing the kernel. The fix involves explicitly traversing the listener socket's accept queue during close operations and performing proper cleanup on pending MPTCP sockets, with careful locking to avoid deadlocks—specifically acquiring the MPTCP socket lock while holding the subflow socket lock. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 base score of 7.8, indicating high severity. Exploitation requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those running Linux-based servers or infrastructure that utilize MPTCP for network redundancy and performance improvements. Successful exploitation could lead to kernel crashes, causing denial of service, or potentially privilege escalation through arbitrary code execution in kernel space. This can disrupt critical services, including web servers, cloud infrastructure, and network appliances. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, the impact could be substantial. Organizations relying on MPTCP-enabled kernels may face increased risk of service outages or compromise of sensitive data. The vulnerability's local attack vector means that attackers would need some level of access to the system, but insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt operations.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2022-49669. Since the vulnerability involves complex locking and socket cleanup logic, relying on vendor-supplied kernel updates is essential rather than attempting manual mitigations. Additionally, organizations should audit and restrict local user privileges to minimize the risk of exploitation by low-privileged users. Network segmentation and strict access controls can reduce the likelihood of attackers gaining local access. Monitoring kernel logs for unusual socket errors or crashes related to MPTCP may help detect exploitation attempts. For environments where immediate patching is not feasible, disabling MPTCP functionality temporarily can mitigate the risk, though this may impact network performance. Finally, maintain up-to-date intrusion detection systems tuned to detect anomalies in kernel behavior or socket operations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49669: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race on unaccepted mptcp sockets When the listener socket owning the relevant request is closed, it frees the unaccepted subflows and that causes later deletion of the paired MPTCP sockets. The mptcp socket's worker can run in the time interval between such delete operations. When that happens, any access to msk->first will cause an UaF access, as the subflow cleanup did not cleared such field in the mptcp socket. Address the issue explicitly traversing the listener socket accept queue at close time and performing the needed cleanup on the pending msk. Note that the locking is a bit tricky, as we need to acquire the msk socket lock, while still owning the subflow socket one.
AI-Powered Analysis
Technical Analysis
CVE-2022-49669 is a high-severity vulnerability in the Linux kernel's implementation of Multipath TCP (MPTCP). The flaw arises from a race condition involving unaccepted MPTCP subflow sockets when the listener socket is closed. Specifically, when the listener socket owning a connection request is closed, it frees the unaccepted subflows, which leads to the deletion of paired MPTCP sockets. However, the MPTCP socket's worker thread can still run during the interval between these delete operations. If this occurs, any access to the msk->first field results in a Use-after-Free (UaF) error because the subflow cleanup does not clear this pointer in the MPTCP socket. This UaF can lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial of service by crashing the kernel. The fix involves explicitly traversing the listener socket's accept queue during close operations and performing proper cleanup on pending MPTCP sockets, with careful locking to avoid deadlocks—specifically acquiring the MPTCP socket lock while holding the subflow socket lock. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 base score of 7.8, indicating high severity. Exploitation requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those running Linux-based servers or infrastructure that utilize MPTCP for network redundancy and performance improvements. Successful exploitation could lead to kernel crashes, causing denial of service, or potentially privilege escalation through arbitrary code execution in kernel space. This can disrupt critical services, including web servers, cloud infrastructure, and network appliances. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, the impact could be substantial. Organizations relying on MPTCP-enabled kernels may face increased risk of service outages or compromise of sensitive data. The vulnerability's local attack vector means that attackers would need some level of access to the system, but insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt operations.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2022-49669. Since the vulnerability involves complex locking and socket cleanup logic, relying on vendor-supplied kernel updates is essential rather than attempting manual mitigations. Additionally, organizations should audit and restrict local user privileges to minimize the risk of exploitation by low-privileged users. Network segmentation and strict access controls can reduce the likelihood of attackers gaining local access. Monitoring kernel logs for unusual socket errors or crashes related to MPTCP may help detect exploitation attempts. For environments where immediate patching is not feasible, disabling MPTCP functionality temporarily can mitigate the risk, though this may impact network performance. Finally, maintain up-to-date intrusion detection systems tuned to detect anomalies in kernel behavior or socket operations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.436Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe47a5
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 7/3/2025, 2:11:25 AM
Last updated: 8/12/2025, 2:42:46 PM
Views: 14
Related Threats
CVE-2025-6183: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in StrongDM sdm-cli
HighCVE-2025-6182: CWE-269 Improper Privilege Management in StrongDM sdm
HighCVE-2025-6181: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in StrongDM sdm-cli
HighCVE-2025-55444: n/a
UnknownCVE-2025-46998: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Experience Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.