CVE-2022-49732: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is already present we'll notice that later, and call tcp_update_ulp() with the sk_proto of the ULP itself, which will most likely result in the ULP looping its callbacks.
AI Analysis
Technical Summary
CVE-2022-49732 is a vulnerability identified in the Linux kernel related to the handling of protocol socket (psock) versus upper layer protocol (ULP) protection checks. Specifically, the vulnerability arises from a change in the Linux kernel code where the check inet_csk_has_ulp(sk) was moved from the sk_psock_init() function to a new function tcp_bpf_update_proto(). This change was likely intended to support creating psocks for non-internet sockets. However, the destruction path for psock involves unwinding the ULP, and if the initialization function sk_psock_init() does not fail when a ULP is already present, subsequent calls to tcp_update_ulp() may be made with the protocol of the ULP itself. This can cause the ULP to enter a callback loop, potentially leading to resource exhaustion or kernel instability. The vulnerability is rooted in improper handling of socket protocol layering and lifecycle, which can cause unexpected behavior in the kernel's networking stack. The affected versions are tied to a specific commit hash (8a59f9d1e3d4...), indicating the vulnerability exists in certain kernel versions incorporating that commit. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects the Linux kernel, a core component used widely across servers, desktops, embedded devices, and cloud infrastructure.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, which are prevalent in enterprise servers, cloud environments, and network infrastructure. Exploitation could lead to kernel instability or denial of service due to the ULP callback loop, potentially disrupting critical services and applications. This can impact confidentiality and integrity indirectly if systems become unavailable or unstable, affecting business continuity. Given the Linux kernel's widespread use in European data centers, telecommunications, and government infrastructure, the vulnerability could affect a broad range of sectors. Although no active exploits are known, the vulnerability's presence in kernel networking code means that attackers with local or possibly network access could trigger the issue, especially in environments using advanced socket features or custom protocols. The impact is heightened in environments with high availability requirements or where kernel stability is critical, such as financial institutions, healthcare providers, and critical infrastructure operators in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched, especially in production and critical systems. Since the vulnerability relates to a specific commit and kernel code path, applying the latest stable kernel releases from trusted vendors or distributions is essential. Organizations should audit their systems to identify Linux hosts running kernels with the affected commit or versions and schedule immediate patching. Additionally, monitoring kernel logs for unusual socket or networking errors may help detect attempts to trigger the vulnerability. Network segmentation and limiting access to systems with vulnerable kernels can reduce exposure. For environments using custom or non-standard socket protocols, additional code review and testing should be conducted to ensure no unintended interactions with the psock and ULP layers occur. Finally, organizations should maintain robust incident response plans to quickly address any kernel-level issues or instability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-49732: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is already present we'll notice that later, and call tcp_update_ulp() with the sk_proto of the ULP itself, which will most likely result in the ULP looping its callbacks.
AI-Powered Analysis
Technical Analysis
CVE-2022-49732 is a vulnerability identified in the Linux kernel related to the handling of protocol socket (psock) versus upper layer protocol (ULP) protection checks. Specifically, the vulnerability arises from a change in the Linux kernel code where the check inet_csk_has_ulp(sk) was moved from the sk_psock_init() function to a new function tcp_bpf_update_proto(). This change was likely intended to support creating psocks for non-internet sockets. However, the destruction path for psock involves unwinding the ULP, and if the initialization function sk_psock_init() does not fail when a ULP is already present, subsequent calls to tcp_update_ulp() may be made with the protocol of the ULP itself. This can cause the ULP to enter a callback loop, potentially leading to resource exhaustion or kernel instability. The vulnerability is rooted in improper handling of socket protocol layering and lifecycle, which can cause unexpected behavior in the kernel's networking stack. The affected versions are tied to a specific commit hash (8a59f9d1e3d4...), indicating the vulnerability exists in certain kernel versions incorporating that commit. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects the Linux kernel, a core component used widely across servers, desktops, embedded devices, and cloud infrastructure.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, which are prevalent in enterprise servers, cloud environments, and network infrastructure. Exploitation could lead to kernel instability or denial of service due to the ULP callback loop, potentially disrupting critical services and applications. This can impact confidentiality and integrity indirectly if systems become unavailable or unstable, affecting business continuity. Given the Linux kernel's widespread use in European data centers, telecommunications, and government infrastructure, the vulnerability could affect a broad range of sectors. Although no active exploits are known, the vulnerability's presence in kernel networking code means that attackers with local or possibly network access could trigger the issue, especially in environments using advanced socket features or custom protocols. The impact is heightened in environments with high availability requirements or where kernel stability is critical, such as financial institutions, healthcare providers, and critical infrastructure operators in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched, especially in production and critical systems. Since the vulnerability relates to a specific commit and kernel code path, applying the latest stable kernel releases from trusted vendors or distributions is essential. Organizations should audit their systems to identify Linux hosts running kernels with the affected commit or versions and schedule immediate patching. Additionally, monitoring kernel logs for unusual socket or networking errors may help detect attempts to trigger the vulnerability. Network segmentation and limiting access to systems with vulnerable kernels can reduce exposure. For environments using custom or non-standard socket protocols, additional code review and testing should be conducted to ensure no unintended interactions with the psock and ULP layers occur. Finally, organizations should maintain robust incident response plans to quickly address any kernel-level issues or instability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.449Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe49bf
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:54:47 AM
Last updated: 8/14/2025, 12:24:52 AM
Views: 13
Related Threats
CVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.