CVE-2022-49820 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
mctp i2c: don't count unused / invalid keys for flow release
We're currently hitting the WARN_ON in mctp_i2c_flow_release:
if (midev->release_count > midev->i2c_lock_count) {
WARN_ONCE(1, "release count overflow");
This may be hit if we expire a flow before sending the first packet it contains - as we will not be pairing the increment of release_count (performed on flow release) with the i2c lock operation (only performed on actual TX).
To fix this, only release a flow if we've encountered it previously (ie, dev_flow_state does not indicate NEW), as we will mark the flow as ACTIVE at the same time as accounting for the i2c lock operation. We also need to add an INVALID flow state, to indicate when we've done the release.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/10/2025
The vulnerability described in CVE-2022-49820 resides within the Linux kernel's Management Component Transport Protocol over I2C (MCTP I2C) subsystem, specifically addressing an improper handling of flow control mechanisms during packet transmission. This issue manifests as a potential kernel panic or system instability when attempting to release network flows that have not been properly initialized or validated. The flaw occurs in the mctp_i2c_flow_release function where the kernel maintains counters for tracking flow release operations and I2C lock acquisitions. The vulnerability stems from a mismatch between the incrementing of release_count and the corresponding i2c_lock_count, creating a scenario where the release_count can exceed the i2c_lock_count, triggering the WARN_ONCE macro and potentially leading to system crashes or unexpected behavior in embedded systems utilizing MCTP over I2C communications.
The technical root cause of this vulnerability lies in the improper synchronization between flow state management and resource accounting within the MCTP I2C driver implementation. When a flow is expired before its first packet transmission occurs, the system fails to properly account for the release operation because it does not pair the increment of release_count with the i2c lock operation that only occurs during actual transmission. This creates a scenario where the release_count counter gets incremented without a corresponding i2c_lock_count increment, leading to the overflow condition that triggers the warning. The system's design assumes that every flow release corresponds to a previous I2C lock operation, but this assumption breaks down when flows are prematurely expired or never properly initialized. This type of counter management error falls under CWE-129, which addresses improper handling of resource counters and can lead to resource exhaustion or system instability. The vulnerability specifically impacts the kernel's memory management and resource tracking subsystems, potentially allowing for denial of service conditions or system crashes in environments where MCTP I2C is actively used for management communications.
The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the reliability of management interfaces in embedded systems and servers that utilize MCTP over I2C for firmware updates, configuration management, and health monitoring. Systems using this communication protocol for critical infrastructure management may experience unexpected service interruptions when flows are improperly handled during the packet transmission lifecycle. The vulnerability is particularly concerning in data center environments where MCTP is used for remote management of servers, as it could lead to management interface failures that prevent administrators from accessing or controlling hardware components. Attackers could potentially exploit this vulnerability to cause denial of service conditions by triggering the overflow scenario through malformed or premature flow expiration requests. This aligns with ATT&CK technique T1499.004, which involves network denial of service attacks targeting management interfaces. The vulnerability affects systems running Linux kernel versions where the MCTP I2C subsystem is enabled and actively used for management communications, particularly impacting server platforms, embedded devices, and IoT systems that rely on MCTP for out-of-band management.
The fix implemented for CVE-2022-49820 addresses the fundamental flaw by introducing stricter flow state validation before performing release operations. The solution requires that flows only be released if they have been previously encountered and marked as ACTIVE, ensuring that the release_count increment corresponds to actual I2C lock operations that have occurred. This approach prevents the counter mismatch that previously led to the overflow condition by adding a new INVALID flow state to properly track when release operations occur on flows that should not be released. The implementation follows security best practices by adding proper state validation and ensuring that resource accounting operations are synchronized with actual resource usage. This fix prevents the WARN_ON condition from being triggered by ensuring that release operations are only performed on flows that have undergone proper initialization and I2C lock acquisition. The mitigation strategy aligns with the principle of least privilege and proper resource management, preventing improper flow state transitions that could lead to system instability. The solution also addresses potential security implications by preventing resource exhaustion scenarios that could be exploited to cause system crashes or denial of service conditions in management interfaces. This remediation approach ensures that the kernel's MCTP I2C subsystem maintains proper consistency between flow state tracking and resource accounting, thereby preventing the overflow condition that could lead to system instability or unexpected behavior in management communications. The fix essentially implements a validation mechanism that prevents premature or invalid flow release operations, thereby maintaining the integrity of the flow control system and preventing the conditions that lead to the kernel warning and potential system crashes.