CVE-2022-49008 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
can: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down
In can327_feed_frame_to_netdev(), it did not free the skb when netdev is down, and all callers of can327_feed_frame_to_netdev() did not free allocated skb too. That would trigger skb leak.
Fix it by adding kfree_skb() in can327_feed_frame_to_netdev() when netdev is down. Not tested, just compiled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2022-49008 resides within the Linux kernel's CAN (Controller Area Network) subsystem, specifically in the can327 driver module. This driver is responsible for handling CAN frame processing and network device integration within automotive and industrial communication systems. The issue manifests in the can327_feed_frame_to_netdev() function where proper memory management fails to occur when the network device is in a down state. This represents a classic memory leak scenario that can accumulate over time and potentially lead to system instability or resource exhaustion.
The technical flaw occurs due to improper handling of socket buffer (skb) memory allocation within the CAN driver's frame processing pipeline. When the network device transitions to a down state, the function fails to execute the kfree_skb() operation to release the allocated socket buffer memory. This memory leak affects all callers of the can327_feed_frame_to_netdev() function since they also do not implement proper skb cleanup when the network device is inactive. The vulnerability is categorized as a memory leak under CWE-401, specifically related to improper resource management in kernel space. The root cause stems from the absence of proper error handling and resource cleanup mechanisms when dealing with network device state transitions.
The operational impact of this vulnerability extends beyond simple memory consumption issues. In automotive and industrial environments where CAN communication is critical for vehicle control systems, industrial automation, and embedded devices, such memory leaks can lead to progressive system degradation. As the kernel continues to process CAN frames while the network device remains inactive, accumulated memory leaks can eventually consume significant portions of system RAM, potentially causing system slowdowns, application crashes, or even complete system hangs. The vulnerability is particularly concerning in embedded systems with limited memory resources where such leaks can quickly exhaust available memory pools and compromise system reliability. This aligns with ATT&CK technique T1490 for resource exhaustion and T1070 for indicator removal through manipulation of system resources.
The fix implemented addresses the core issue by adding explicit kfree_skb() calls within the can327_feed_frame_to_netdev() function when the network device is detected as down. This ensures proper memory deallocation regardless of the network state, preventing the accumulation of leaked socket buffers. The patch follows established kernel memory management practices and adheres to the principle of defensive programming where resources are always freed in error paths. While the fix was noted to be compiled but not thoroughly tested, it represents a minimal but critical change that aligns with kernel development best practices for preventing memory leaks in network device drivers. The solution directly addresses the immediate memory leak without introducing additional complexity or performance overhead, making it suitable for production environments where stability and reliability are paramount in automotive and industrial applications.