CVE-2022-49205
Published: 26 February 2025
Summary
CVE-2022-49205 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2022-49205 is a vulnerability in the Linux kernel's BPF sockmap implementation, specifically involving a double uncharge of memory associated with sk_msg structures. The issue arises during tcp_bpf_sendmsg execution amid a socket teardown operation, where psock may be freed. This leads to the memory being uncharged once in tcp_bpf_send_verdict via sk_msg_return, and potentially again in sk_msg_free if psock is null, resulting in a double-free condition classified under CWE-415. It manifests as kernel warnings, such as in inet_sock_destruct at net/ipv4/af_inet.c:155, with traces involving sk_psock_destroy and worker threads.
A local attacker with low privileges (PR:L) can exploit this vulnerability given low attack complexity (AC:L) and no user interaction (UI:N) in an unchanged security scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 7.8 on CVSS 3.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling kernel memory corruption, crashes, or escalation through the double-free.
Mitigation is provided through patches merged into Linux kernel stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434, https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273, https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002, https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c, and https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393. Security practitioners should update affected kernels to incorporate these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55021
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix double uncharge the mem of sk_msg If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem…
more
of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local double-free in kernel BPF leads directly to memory corruption and privilege escalation from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws, directly mitigating this Linux kernel BPF sockmap double-free by applying vendor patches.
Implements memory protection mechanisms that defend against exploitation of double-free conditions leading to kernel memory corruption.
Ensures secure error handling to prevent improper memory uncharging during socket teardown operations that trigger the double-free.