Cyber Resilience

CVE-2022-49205

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 September 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49205 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2022-49205 is a vulnerability in the Linux kernel's BPF sockmap implementation, specifically involving a double uncharge of memory associated with sk_msg structures. The issue arises during tcp_bpf_sendmsg execution amid a socket teardown operation, where psock may be freed. This leads to the memory being uncharged once in tcp_bpf_send_verdict via sk_msg_return, and potentially again in sk_msg_free if psock is null, resulting in a double-free condition classified under CWE-415. It manifests as kernel warnings, such as in inet_sock_destruct at net/ipv4/af_inet.c:155, with traces involving sk_psock_destroy and worker threads.

A local attacker with low privileges (PR:L) can exploit this vulnerability given low attack complexity (AC:L) and no user interaction (UI:N) in an unchanged security scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 7.8 on CVSS 3.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling kernel memory corruption, crashes, or escalation through the double-free.

Mitigation is provided through patches merged into Linux kernel stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434, https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273, https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002, https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c, and https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393. Security practitioners should update affected kernels to incorporate these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix double uncharge the mem of sk_msg If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem…

more

of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local double-free in kernel BPF leads directly to memory corruption and privilege escalation from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23387Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2022-49391Same product: Linux Linux Kernel
CVE-2022-49290Same product: Linux Linux Kernel
CVE-2026-23162Same product: Linux Linux Kernel
CVE-2026-23068Same product: Linux Linux Kernel
CVE-2022-49384Same product: Linux Linux Kernel
CVE-2026-31475Same product: Linux Linux Kernel
CVE-2022-49530Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.20 — 5.4.189 · 5.5 — 5.10.110 · 5.11 — 5.15.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws, directly mitigating this Linux kernel BPF sockmap double-free by applying vendor patches.

prevent

Implements memory protection mechanisms that defend against exploitation of double-free conditions leading to kernel memory corruption.

prevent

Ensures secure error handling to prevent improper memory uncharging during socket teardown operations that trigger the double-free.

References