CVE-2022-49372

MEDIUM EPSS 19.3%
Published Feb 26, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tcp: tcp_rtx_synack() can be called from process context Laurent reported the enclosed report [1] This bug triggers with following coditions: 0) Kernel built with CONFIG_DEBUG_PREEMPT=y 1) A new passive FastOpen TCP socket is created. This FO socket waits for an ACK coming from client to be a complete ESTABLISHED one. 2) A socket operation on this socket goes through lock_sock() release_sock() dance. 3) While the socket is owned by the user in step 2), a retransmit of the SYN is received and stored in socket backlog. 4) At release_sock() time, the socket backlog is processed while in process context. 5) A SYNACK packet is cooked in response of the SYN retransmit. 6) -> tcp_rtx_synack() is called in process context. Before blamed commit, tcp_rtx_synack() was always called from BH handler, from a timer handler. Fix this by using TCP_INC_STATS() & NET_INC_STATS() which do not assume caller is in non preemptible context. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: <TASK> dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
19.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥3.7  –  <4.9.318
linuxlinux_kernel*≥4.10  –  <4.14.283
linuxlinux_kernel*≥4.15  –  <4.19.247
linuxlinux_kernel*≥4.20  –  <5.4.198
linuxlinux_kernel*≥5.5  –  <5.10.122
linuxlinux_kernel*≥5.11  –  <5.15.47
linuxlinux_kernel*≥5.16  –  <5.17.15
linuxlinux_kernel*≥5.18  –  <5.18.4

References 9

  • git.kernel.org https://git.kernel.org/stable/c/0a0f7f84148445c9f02f226928803a870139d820
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0a375c822497ed6ad6b5da0792a12a6f1af10c0b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3db889f883e65bbd3b1401279bfc1e9ed255c481
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58bd38cbc961fd799842b7be8c5222310f04b908
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88cd232146207ff1d41dededed5e77c0d4438113
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bdc28a8fb43cc476e33b11519235adb816ce00e8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c348b0f8d035fc4bdc040796889beec7218bd1b8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d05c2fdf8e10528bb6751bd95243e862d5402a9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d8e1bc6029acac796293310aacef7b7336f35b6a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a0f7f84148445c9f02f226928803a870139d820
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0a375c822497ed6ad6b5da0792a12a6f1af10c0b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3db889f883e65bbd3b1401279bfc1e9ed255c481
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58bd38cbc961fd799842b7be8c5222310f04b908
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88cd232146207ff1d41dededed5e77c0d4438113
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bdc28a8fb43cc476e33b11519235adb816ce00e8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c348b0f8d035fc4bdc040796889beec7218bd1b8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d05c2fdf8e10528bb6751bd95243e862d5402a9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d8e1bc6029acac796293310aacef7b7336f35b6a
    Patch