CVE-2022-49697 is a vulnerability identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem, specifically related to socket lookup helpers. The issue arises when a BPF program performs a socket lookup that increments the reference count on a socket. In this case, the lookup finds a request_socket (a child socket used during connection establishment) but returns the parent LISTEN socket via the sk_to_full_sk() function without first decrementing the reference count on the child request_socket. This results in a memory leak of the request_sock slab object. The vulnerability was initially reported by a customer operating a Calico cloud environment, where this leak was observed. The patch fixes the issue by retaining the behavior of returning the full socket to the caller while ensuring the child request_socket's reference count is decremented before returning the parent socket, preventing the leak. The fix also includes validation of Read-Copy-Update (RCU) flags on the listen socket to balance with bpf_sk_release() calls and minor code refactoring to optimize instructions. This vulnerability does not appear to have any known exploits in the wild and lacks an assigned CVSS score. The root cause is a resource management flaw in the kernel's BPF socket lookup helpers, which could lead to resource exhaustion over time if exploited or triggered repeatedly.

For European organizations, the impact of CVE-2022-49697 primarily relates to potential resource exhaustion on Linux systems running BPF programs that perform socket lookups, such as those used in cloud-native networking environments like Calico. Since BPF is widely used for network monitoring, security, and traffic control, this vulnerability could degrade system performance or cause denial of service due to leaked request_socket objects accumulating in kernel memory. This is particularly relevant for data centers, cloud service providers, and enterprises leveraging Linux-based container orchestration platforms (e.g., Kubernetes) with BPF-enabled networking plugins. While the vulnerability does not directly allow privilege escalation or code execution, the resulting memory leak could impact availability and stability of critical infrastructure. European organizations relying on Linux for networking, cloud, or edge computing workloads may experience service disruptions or increased maintenance overhead if the vulnerability is exploited or triggered inadvertently. However, the absence of known exploits and the requirement for specific BPF program behavior reduce the immediate risk of widespread attacks.

1. Apply the official Linux kernel patch that addresses CVE-2022-49697 as soon as it is available and tested in your environment. This is the definitive fix preventing the request_socket leak. 2. Audit and review BPF programs in use, especially those performing socket lookups, to ensure they follow best practices for reference count management and do not inadvertently cause resource leaks. 3. Monitor kernel memory usage and slab allocator statistics for anomalies that could indicate leaking request_socket objects, enabling early detection of exploitation or misbehavior. 4. Limit the deployment of untrusted or third-party BPF programs in production environments to reduce the risk of triggering this vulnerability. 5. For cloud environments using Calico or similar CNI plugins, coordinate with vendors and update to versions incorporating the fix. 6. Implement kernel live patching solutions where feasible to reduce downtime during patch deployment. 7. Maintain robust logging and alerting on kernel errors and resource exhaustion symptoms to facilitate rapid incident response.