CVE-2022-49697 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix request_sock leak in sk lookup helpers
A customer reported a request_socket leak in a Calico cloud environment. We found that a BPF program was doing a socket lookup with takes a refcnt on the socket and that it was finding the request_socket but returning the parent LISTEN socket via sk_to_full_sk() without decrementing the child request socket 1st, resulting in request_sock slab object leak. This patch retains the existing behaviour of returning full socks to the caller but it also decrements the child request_socket if one is present before doing so to prevent the leak.
Thanks to Curtis Taylor for all the help in diagnosing and testing this. And thanks to Antoine Tenart for the reproducer and patch input.
v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to validate RCU flags on the listen socket so that it balances with bpf_sk_release() and update comments as per Martin KaFai Lau's suggestion. One small change to Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra instruction.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability CVE-2022-49697 represents a critical memory management flaw in the Linux kernel's BPF (Berkeley Packet Filter) subsystem that leads to request socket leaks within the TCP connection handling mechanism. This issue specifically affects the sk lookup helpers functionality where BPF programs interact with socket structures during network processing. The vulnerability manifests when a BPF program performs socket lookups that acquire reference counts on sockets, particularly when dealing with request sockets that are part of the TCP connection establishment process. The flaw occurs in the interaction between the BPF program and the kernel's socket management infrastructure, creating a scenario where reference count management becomes inconsistent.
The technical root cause of this vulnerability lies in the improper handling of reference counts when transitioning from request sockets to full sockets during BPF program execution. When a BPF program utilizes socket lookup helpers and identifies a request socket that is part of an incoming TCP connection, it correctly takes a reference count on the socket. However, the program fails to properly decrement the reference count of the child request socket before returning the parent LISTEN socket through the sk_to_full_sk() function. This oversight results in a memory leak where request_socket slab objects remain allocated in kernel memory despite being no longer needed. The leak occurs because the reference count of the child request socket is not properly managed, preventing the kernel's memory management subsystem from properly reclaiming the allocated memory.
The operational impact of this vulnerability extends beyond simple memory consumption issues, particularly in cloud environments like Calico where network processing is intensive and BPF programs are frequently deployed. The memory leak can accumulate over time, leading to progressive memory exhaustion that degrades system performance and potentially causes system instability or crashes. In containerized environments with high network throughput, this vulnerability can compound resource constraints and affect the overall reliability of network services. The vulnerability affects systems where BPF programs interact with socket lookup helpers, making it particularly relevant for network security tools, traffic monitoring systems, and applications that utilize BPF for packet processing and network function virtualization.
This vulnerability aligns with CWE-401 (Improper Release of Memory Before Removing Last Reference) and demonstrates characteristics consistent with ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) through the use of BPF programs as attack vectors, though the vulnerability itself is not an attack but rather a memory management flaw. The fix implemented addresses the issue by maintaining the existing behavior of returning full sockets to callers while adding proper reference count decrementing for child request sockets before the transition occurs. The patch incorporates feedback from kernel development experts including Daniel Borkmann and Martin KaFai Lau, ensuring that RCU (Read-Copy-Update) flags are properly validated and that the implementation maintains consistency with the bpf_sk_release() function's behavior. The refinement process included optimizing the conditional logic to avoid unnecessary instructions by placing the sk = sk2 assignment under the conditional check when sk2 != sk, demonstrating the careful attention to both correctness and performance in the final implementation.
The mitigation strategy involves applying the kernel patch that corrects the reference count management in the BPF socket lookup helpers, specifically addressing the interaction between request sockets and full sockets during BPF program execution. Organizations should prioritize updating their Linux kernel versions to include this fix, particularly in environments where BPF programs are actively deployed for network processing tasks. System administrators should monitor memory usage patterns and network performance metrics to detect potential memory leak impacts before the patch is applied. The fix maintains backward compatibility while resolving the specific memory management inconsistency that led to the request socket leak, ensuring that the kernel's socket reference counting mechanisms operate correctly under BPF program influence. This vulnerability underscores the importance of careful reference count management in kernel subsystems and the need for thorough testing of BPF program interactions with core kernel networking components.