CVE-2022-49871: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix memory leaks of napi_get_frags kmemleak reports after running test_progs: unreferenced object 0xffff8881b1672dc0 (size 232): comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s) hex dump (first 32 bytes): e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace: [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150 [<0000000041c7fc09>] __napi_build_skb+0x15/0x50 [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540 [<000000003ecfa30e>] napi_get_frags+0x59/0x140 [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun] [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun] [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320 [<000000008f338ea2>] do_iter_write+0x135/0x630 [<000000008a3377a4>] vfs_writev+0x12e/0x440 [<00000000a6b5639a>] do_writev+0x104/0x280 [<00000000ccf065d8>] do_syscall_64+0x3b/0x90 [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue occurs in the following scenarios: tun_get_user() napi_gro_frags() napi_frags_finish() case GRO_NORMAL: gro_normal_one() list_add_tail(&skb->list, &napi->rx_list); <-- While napi->rx_count < READ_ONCE(gro_normal_batch), <-- gro_normal_list() is not called, napi->rx_list is not empty <-- not ask to complete the gro work, will cause memory leaks in <-- following tun_napi_del() ... tun_napi_del() netif_napi_del() __netif_napi_del() <-- &napi->rx_list is not empty, which caused memory leaks To fix, add napi_complete() after napi_gro_frags().
AI Analysis
Technical Summary
CVE-2022-49871 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TUN (network tunnel) driver. The issue arises from improper handling of memory buffers during packet processing in the kernel's NAPI (New API) receive path. The vulnerability is caused by a memory leak due to incomplete cleanup of sk_buff (socket buffer) fragments when certain conditions occur in the GRO (Generic Receive Offload) processing. Specifically, when the napi->rx_list is not emptied because the gro_normal_list() function is not invoked (due to napi->rx_count being less than the gro_normal_batch threshold), the napi_gro_frags() function does not complete the GRO work, leaving the napi->rx_list non-empty. Subsequently, when tun_napi_del() is called to delete the NAPI context, it triggers netif_napi_del() which calls __netif_napi_del(), but since napi->rx_list is not empty, this leads to memory leaks. The root cause is the absence of a call to napi_complete() after napi_gro_frags(), which would otherwise finalize the GRO processing and clear the rx_list. This flaw can cause kernel memory to be leaked during normal operation of the TUN driver, which is commonly used for virtual network interfaces, VPNs, and container networking. Although no direct exploitation or remote code execution is indicated, the memory leak can degrade system stability and performance over time, potentially leading to denial of service conditions on affected Linux systems. The vulnerability affects multiple versions of the Linux kernel identified by the commit hash 90e33d45940793def6f773b2d528e9f3c84ffdc7. A patch involves adding a call to napi_complete() after napi_gro_frags() to ensure proper cleanup of the rx_list and prevent memory leaks.
Potential Impact
For European organizations, the impact of CVE-2022-49871 primarily concerns systems running Linux kernels with the vulnerable TUN driver implementation. Many enterprises, cloud providers, telecom operators, and governmental agencies in Europe rely heavily on Linux-based infrastructure for networking, virtualization, and container orchestration. The TUN driver is widely used in VPN solutions, container networking (e.g., Kubernetes), and virtual network interfaces, making this vulnerability relevant in diverse environments. The memory leak could lead to gradual resource exhaustion on critical network nodes, VPN gateways, or container hosts, causing degraded network performance or service interruptions. While the vulnerability does not directly enable remote code execution or privilege escalation, the resulting denial of service through kernel memory exhaustion could disrupt business operations, especially in high-throughput or large-scale deployments. This is particularly critical for sectors such as finance, healthcare, and critical infrastructure where uptime and network reliability are paramount. Additionally, the vulnerability could be exploited by an attacker with local access or through crafted network traffic to accelerate memory consumption, increasing the risk of service degradation. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems may face operational risks and increased maintenance overhead.
Mitigation Recommendations
To mitigate CVE-2022-49871, European organizations should: 1) Apply the official Linux kernel patches that introduce the call to napi_complete() after napi_gro_frags() as soon as they become available from trusted sources or Linux distribution vendors. 2) For environments using custom or older kernels, backport the fix or upgrade to a kernel version that includes the patch. 3) Monitor kernel memory usage and network subsystem logs for unusual memory growth or warnings related to napi or tun drivers to detect potential exploitation or memory leaks early. 4) Limit local access to systems running vulnerable kernels to reduce the risk of exploitation by untrusted users. 5) In containerized or virtualized environments, ensure that host kernels are patched, as container networking often relies on the host's TUN driver. 6) Employ network segmentation and strict firewall rules to minimize exposure of vulnerable network interfaces. 7) Coordinate with Linux distribution maintainers and vendors to receive timely security updates and advisories. 8) Conduct regular vulnerability assessments and penetration tests focusing on kernel-level vulnerabilities to identify and remediate similar issues proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49871: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix memory leaks of napi_get_frags kmemleak reports after running test_progs: unreferenced object 0xffff8881b1672dc0 (size 232): comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s) hex dump (first 32 bytes): e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace: [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150 [<0000000041c7fc09>] __napi_build_skb+0x15/0x50 [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540 [<000000003ecfa30e>] napi_get_frags+0x59/0x140 [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun] [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun] [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320 [<000000008f338ea2>] do_iter_write+0x135/0x630 [<000000008a3377a4>] vfs_writev+0x12e/0x440 [<00000000a6b5639a>] do_writev+0x104/0x280 [<00000000ccf065d8>] do_syscall_64+0x3b/0x90 [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue occurs in the following scenarios: tun_get_user() napi_gro_frags() napi_frags_finish() case GRO_NORMAL: gro_normal_one() list_add_tail(&skb->list, &napi->rx_list); <-- While napi->rx_count < READ_ONCE(gro_normal_batch), <-- gro_normal_list() is not called, napi->rx_list is not empty <-- not ask to complete the gro work, will cause memory leaks in <-- following tun_napi_del() ... tun_napi_del() netif_napi_del() __netif_napi_del() <-- &napi->rx_list is not empty, which caused memory leaks To fix, add napi_complete() after napi_gro_frags().
AI-Powered Analysis
Technical Analysis
CVE-2022-49871 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the TUN (network tunnel) driver. The issue arises from improper handling of memory buffers during packet processing in the kernel's NAPI (New API) receive path. The vulnerability is caused by a memory leak due to incomplete cleanup of sk_buff (socket buffer) fragments when certain conditions occur in the GRO (Generic Receive Offload) processing. Specifically, when the napi->rx_list is not emptied because the gro_normal_list() function is not invoked (due to napi->rx_count being less than the gro_normal_batch threshold), the napi_gro_frags() function does not complete the GRO work, leaving the napi->rx_list non-empty. Subsequently, when tun_napi_del() is called to delete the NAPI context, it triggers netif_napi_del() which calls __netif_napi_del(), but since napi->rx_list is not empty, this leads to memory leaks. The root cause is the absence of a call to napi_complete() after napi_gro_frags(), which would otherwise finalize the GRO processing and clear the rx_list. This flaw can cause kernel memory to be leaked during normal operation of the TUN driver, which is commonly used for virtual network interfaces, VPNs, and container networking. Although no direct exploitation or remote code execution is indicated, the memory leak can degrade system stability and performance over time, potentially leading to denial of service conditions on affected Linux systems. The vulnerability affects multiple versions of the Linux kernel identified by the commit hash 90e33d45940793def6f773b2d528e9f3c84ffdc7. A patch involves adding a call to napi_complete() after napi_gro_frags() to ensure proper cleanup of the rx_list and prevent memory leaks.
Potential Impact
For European organizations, the impact of CVE-2022-49871 primarily concerns systems running Linux kernels with the vulnerable TUN driver implementation. Many enterprises, cloud providers, telecom operators, and governmental agencies in Europe rely heavily on Linux-based infrastructure for networking, virtualization, and container orchestration. The TUN driver is widely used in VPN solutions, container networking (e.g., Kubernetes), and virtual network interfaces, making this vulnerability relevant in diverse environments. The memory leak could lead to gradual resource exhaustion on critical network nodes, VPN gateways, or container hosts, causing degraded network performance or service interruptions. While the vulnerability does not directly enable remote code execution or privilege escalation, the resulting denial of service through kernel memory exhaustion could disrupt business operations, especially in high-throughput or large-scale deployments. This is particularly critical for sectors such as finance, healthcare, and critical infrastructure where uptime and network reliability are paramount. Additionally, the vulnerability could be exploited by an attacker with local access or through crafted network traffic to accelerate memory consumption, increasing the risk of service degradation. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems may face operational risks and increased maintenance overhead.
Mitigation Recommendations
To mitigate CVE-2022-49871, European organizations should: 1) Apply the official Linux kernel patches that introduce the call to napi_complete() after napi_gro_frags() as soon as they become available from trusted sources or Linux distribution vendors. 2) For environments using custom or older kernels, backport the fix or upgrade to a kernel version that includes the patch. 3) Monitor kernel memory usage and network subsystem logs for unusual memory growth or warnings related to napi or tun drivers to detect potential exploitation or memory leaks early. 4) Limit local access to systems running vulnerable kernels to reduce the risk of exploitation by untrusted users. 5) In containerized or virtualized environments, ensure that host kernels are patched, as container networking often relies on the host's TUN driver. 6) Employ network segmentation and strict firewall rules to minimize exposure of vulnerable network interfaces. 7) Coordinate with Linux distribution maintainers and vendors to receive timely security updates and advisories. 8) Conduct regular vulnerability assessments and penetration tests focusing on kernel-level vulnerabilities to identify and remediate similar issues proactively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.238Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4edf
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 2:42:52 AM
Last updated: 7/30/2025, 7:33:25 PM
Views: 13
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.