{ "affected": [ { "ranges": [ { "events": [ { "introduced": "289f2f58266777f45a52cd55dea96d736e6244c9" }, { "fixed": "af61a8f7603926c26158153d0a0755764d82657c" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" }, { "events": [ { "introduced": "f70cad1085d1e01d3ec73c1078405f906237feee" }, { "fixed": "752add6f5ce5305e55d8bda4ac8d69be3a09f14d" }, { "fixed": "4d54181eba4b077fb74033a7186898ad4000a7a5" }, { "fixed": "3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49198.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb\n\nGot crash when doing pressure test of mptcp:\n\n===========================================================================\ndst_release: dst:ffffa06ce6e5c058 refcnt:-1\nkernel tried to execute NX-protected page - exploit attempt? (uid: 0)\nBUG: unable to handle kernel paging request at ffffa06ce6e5c058\nPGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063\nOops: 0011 [#1] SMP PTI\nCPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014\nCall Trace:\n ? skb_release_head_state+0x68/0x100\n ? skb_release_all+0xe/0x30\n ? kfree_skb+0x32/0xa0\n ? mptcp_sendmsg_frag+0x57e/0x750\n ? __mptcp_retrans+0x21b/0x3c0\n ? __switch_to_asm+0x35/0x70\n ? mptcp_worker+0x25e/0x320\n ? process_one_work+0x1a7/0x360\n ? worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n ? kthread+0x112/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ? ret_from_fork+0x35/0x40\n===========================================================================\n\nIn __mptcp_alloc_tx_skb skb was allocated and skb-\u003etcp_tsorted_anchor will\nbe initialized, in under memory pressure situation sk_wmem_schedule will\nreturn false and then kfree_skb. In this case skb-\u003e_skb_refdst is not null\nbecause_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and\nkfree_skb will try to release dst and cause crash.", "id": "CVE-2022-49198", "modified": "2026-04-01T23:09:29.238238093Z", "published": "2025-02-26T01:55:41.631Z", "references": [ { "type": "WEB", "url": "https://git.kernel.org/stable/c/3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/4d54181eba4b077fb74033a7186898ad4000a7a5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/752add6f5ce5305e55d8bda4ac8d69be3a09f14d" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/af61a8f7603926c26158153d0a0755764d82657c" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49198.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49198" }, { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" } ], "schema_version": "1.7.3", "summary": "mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb" }