CVE-2022-50536

EUVD-2025-32021
In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data

In tcp_bpf_send_verdict() redirection, the eval variable is assigned to
__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,
sock_put() will be called multiple times.

We should reset the eval variable to __SK_NONE every time more_data
starts.

This causes:

IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110
Modules linked in:
CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1
Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
 <TASK>
 __tcp_transmit_skb+0xa1b/0xb90
 ? __alloc_skb+0x8c/0x1a0
 ? __kmalloc_node_track_caller+0x184/0x320
 tcp_write_xmit+0x22a/0x1110
 __tcp_push_pending_frames+0x32/0xf0
 do_tcp_sendpages+0x62d/0x640
 tcp_bpf_push+0xae/0x2c0
 tcp_bpf_sendmsg_redir+0x260/0x410
 ? preempt_count_add+0x70/0xa0
 tcp_bpf_send_verdict+0x386/0x4b0
 tcp_bpf_sendmsg+0x21b/0x3b0
 sock_sendmsg+0x58/0x70
 __sys_sendto+0xfa/0x170
 ? xfd_validate_state+0x1d/0x80
 ? switch_fpu_return+0x59/0xe0
 __x64_sys_sendto+0x24/0x30
 do_syscall_64+0x37/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.4.157 ≤
𝑥
< 5.4.229
linuxlinux_kernel
5.10.77 ≤
𝑥
< 5.10.163
linuxlinux_kernel
5.14.16 ≤
𝑥
< 5.15
linuxlinux_kernel
5.15.1 ≤
𝑥
< 5.15.86
linuxlinux_kernel
5.16 ≤
𝑥
< 6.0.16
linuxlinux_kernel
6.1 ≤
𝑥
< 6.1.2
linuxlinux_kernel
5.15
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.153-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.237-1
fixed
forky
6.16.9-1
fixed
sid
6.16.11-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.48-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-default
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-default-base
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-macros
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-source
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
kernel-syms
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.280.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:7.2.0-362.8.1.el9_3
fixed
kernel
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-abi-stablelists
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-core
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-core
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-devel
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-devel
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-doc
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-modules
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-devel
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-kvm
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-modules
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-debug-modules-extra
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-devel
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-kvm
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-modules
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-rt-modules-extra
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-tools
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-tools-libs
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-tools-libs-devel
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
libperf
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
perf
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
python3-perf
RHEL 8
0:4.18.0-372.9.1.el8
fixed
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
rtla
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
rv
RHEL 9
0:5.14.0-362.8.1.el9_3
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/113236e8f49f262f318c00ebb14b15f4834e87c1
https://git.kernel.org/stable/c/28e4a763cd4a2b1a78852216ef4bd7df3a05cec6
https://git.kernel.org/stable/c/578a7628b838a3ac8ad61deaab5a816ff032ac13
https://git.kernel.org/stable/c/7508b9f4daac4ec7dfe0b6fb2d688b1c1c105e10
https://git.kernel.org/stable/c/7a9841ca025275b5b0edfb0b618934abb6ceec15
https://git.kernel.org/stable/c/8786bde11a4f31b63b3036731df0b47337a7a245