CVE-2022-49340

MEDIUM EPSS 17.3%
Published Feb 26, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ip_gre: test csum_start instead of transport header GRE with TUNNEL_CSUM will apply local checksum offload on CHECKSUM_PARTIAL packets. ipgre_xmit must validate csum_start after an optional skb_pull, else lco_csum may trigger an overflow. The original check was if (csum && skb_checksum_start(skb) < skb->data) return -EINVAL; This had false positives when skb_checksum_start is undefined: when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement was straightforward if (csum && skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_start(skb) < skb->data) return -EINVAL; But was eventually revised more thoroughly: - restrict the check to the only branch where needed, in an uncommon GRE path that uses header_ops and calls skb_pull. - test skb_transport_header, which is set along with csum_start in skb_partial_csum_set in the normal header_ops datapath. Turns out skbs can arrive in this branch without the transport header set, e.g., through BPF redirection. Revise the check back to check csum_start directly, and only if CHECKSUM_PARTIAL. Do leave the check in the updated location. Check field regardless of whether TUNNEL_CSUM is configured.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
17.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥4.19.207  –  <4.19.247
linuxlinux_kernel*≥5.4.148  –  <5.4.198
linuxlinux_kernel*≥5.10.68  –  <5.10.122
linuxlinux_kernel*≥5.14.7  –  <5.15.47
linuxlinux_kernel*≥5.16  –  <5.17.15
linuxlinux_kernel*≥5.18  –  <5.18.4
linuxlinux_kernel5.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
    Patch