CVE-2022-49669
Published: 26 February 2025
Summary
CVE-2022-49669 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49669 is a use-after-free vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, arising from a race condition on unaccepted MPTCP sockets. When the listener socket owning a relevant request is closed, it frees the unaccepted subflows, which can lead to later deletion of paired MPTCP sockets. If the MPTCP socket's worker executes during this interval, it may access the freed msk->first field, resulting in a use-after-free condition. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements (AV:L/AC:L/PR:L/UI:N/S:U). Successful exploitation could grant high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes via the use-after-free access.
Mitigation patches have been applied in the Linux kernel stable trees, as documented in kernel commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and a8a3e95c74e48c2c9b07b81fafda9122993f2e12. These commits address the issue by explicitly traversing the listener socket's accept queue at close time and performing cleanup on pending MPTCP sockets (msk). The fix handles tricky locking by acquiring the msk socket lock while still holding the subflow socket lock.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54564
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race on unaccepted mptcp sockets When the listener socket owning the relevant request is closed, it frees the unaccepted subflows and that causes later deletion of the paired…
more
MPTCP sockets. The mptcp socket's worker can run in the time interval between such delete operations. When that happens, any access to msk->first will cause an UaF access, as the subflow cleanup did not cleared such field in the mptcp socket. Address the issue explicitly traversing the listener socket accept queue at close time and performing the needed cleanup on the pending msk. Note that the locking is a bit tricky, as we need to acquire the msk socket lock, while still owning the subflow socket one.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free enables privilege escalation via arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in MPTCP by applying kernel patches that fix the race condition during listener socket closure and subflow cleanup.
Implements memory protection safeguards like address space layout randomization and supervisor mode execution prevention to mitigate exploitation of the MPTCP socket use-after-free.
Establishes secure kernel configuration settings, such as disabling MPTCP or applying hardening parameters, to reduce exposure to the race condition on unaccepted sockets.