CVE-2022-49791 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix multishot accept request leaks
Having REQ_F_POLLED set doesn't guarantee that the request is executed as a multishot from the polling path. Fortunately for us, if the code thinks it's multishot issue when it's not, it can only ask to skip completion so leaking the request. Use issue_flags to mark multipoll issues.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability identified as CVE-2022-49791 resides within the Linux kernel's io_uring subsystem, specifically addressing a critical issue in how multishot accept requests are handled. This flaw represents a memory management concern that could lead to resource exhaustion over time, particularly affecting systems heavily reliant on asynchronous I/O operations. The io_uring interface provides high-performance asynchronous I/O capabilities that are essential for modern server applications and network services. When properly implemented, io_uring allows applications to perform I/O operations without blocking, significantly improving throughput and reducing latency. However, the vulnerability stems from a fundamental misunderstanding in the request processing logic that governs how multishot operations are executed within the polling context.
The technical root cause of this vulnerability lies in the improper handling of request flags and execution paths within the io_uring subsystem. Specifically, the code fails to properly distinguish between requests that are genuinely meant to execute as multishot from those that are incorrectly flagged as such. The REQ_F_POLLED flag, which indicates that a request should be executed through the polling path, does not necessarily guarantee that the request will actually operate in multishot mode. This discrepancy creates a scenario where the system might attempt to skip completions for requests that are not actually multishot, leading to the accidental leakage of request structures. The implementation incorrectly assumes that all requests with the polling flag should be treated as multishot, which introduces a race condition and memory management error in the completion handling logic.
From an operational impact perspective, this vulnerability creates a potential denial of service scenario where system resources gradually become consumed due to leaked request structures. The memory leak occurs because when the system incorrectly identifies a non-multishot request as multishot, it fails to properly release the associated request data structures. This can lead to progressive memory consumption that eventually impacts system performance or causes complete system instability under sustained load conditions. Network servers and applications that rely heavily on io_uring for handling concurrent connections are particularly vulnerable, as the multishot accept functionality is commonly used to efficiently process multiple incoming connection requests. The vulnerability affects systems running Linux kernel versions where the io_uring subsystem is active and where applications are utilizing multishot accept operations.
The fix for CVE-2022-49791 addresses this issue by implementing a more robust mechanism for tracking multishot request states through the use of issue_flags. This approach ensures that only requests that are actually intended to be executed as multishot are processed through the multishot path, preventing the inappropriate handling that leads to resource leaks. The solution involves modifying the internal request tracking logic to properly distinguish between polling requests and true multishot operations, thereby preventing the incorrect completion skipping behavior that was causing the memory leaks. This fix aligns with established security practices for managing asynchronous I/O operations and demonstrates proper handling of request state transitions within kernel subsystems. The mitigation strategy effectively resolves the issue by ensuring that each request is properly accounted for in the completion path, preventing the accumulation of leaked request structures that could eventually exhaust system resources. This vulnerability classification aligns with CWE-401: Improper Release of Memory and can be mapped to ATT&CK technique T1499.004: Endpoint Denial of Service within the context of kernel-level resource exhaustion attacks.