CVE-2022-49732

In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is already present we'll notice that later, and call tcp_update_ulp() with the sk_proto of the ULP itself, which will most likely result in the ULP looping its callbacks.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017	Patch
https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846	Patch
https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.19:rc3::::::

History

No history.

Information

Published : 2025-02-26 15:15

Updated : 2025-10-24 18:48

NVD link : CVE-2022-49732

Mitre link : CVE-2022-49732

CVE.ORG link : CVE-2022-49732

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-49732", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T15:15:17.843", "references": [{"url": "https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock: redo the psock vs ULP protection check\n\nCommit 8a59f9d1e3d4 (\"sock: Introduce sk->sk_prot->psock_update_sk_prot()\")\nhas moved the inet_csk_has_ulp(sk) check from sk_psock_init() to\nthe new tcp_bpf_update_proto() function. I'm guessing that this\nwas done to allow creating psocks for non-inet sockets.\n\nUnfortunately the destruction path for psock includes the ULP\nunwind, so we need to fail the sk_psock_init() itself.\nOtherwise if ULP is already present we'll notice that later,\nand call tcp_update_ulp() with the sk_proto of the ULP\nitself, which will most likely result in the ULP looping\nits callbacks."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sock: rehacer la comprobaci\u00f3n de protecci\u00f3n psock vs ULP el commit 8a59f9d1e3d4 (\"sock: Introduce sk->sk_prot->psock_update_sk_prot()\") ha movido la comprobaci\u00f3n inet_csk_has_ulp(sk) de sk_psock_init() a la nueva funci\u00f3n tcp_bpf_update_proto(). Supongo que esto se hizo para permitir la creaci\u00f3n de psocks para sockets que no sean inet. Desafortunadamente, la ruta de destrucci\u00f3n para psock incluye el desenrollado de ULP, por lo que debemos hacer que falle el propio sk_psock_init(). De lo contrario, si ULP ya est\u00e1 presente, lo notaremos m\u00e1s tarde y llamaremos a tcp_update_ulp() con el sk_proto del propio ULP, lo que probablemente provocar\u00e1 que el ULP repita sus devoluciones de llamadas."}], "lastModified": "2025-10-24T18:48:17.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA59AD4A-9F0B-4A17-9F76-4D464C6F1DDD", "versionEndExcluding": "5.15.51", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0172D3FA-DDEB-482A-A270-4A1495A8798C", "versionEndExcluding": "5.18.8", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}