CVE-2022-49822 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix connections leak when tlink setup failed
If the tlink setup failed, lost to put the connections, then the module refcnt leak since the cifsd kthread not exit.
Also leak the fscache info, and for next mount with fsc, it will print the follow errors: CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)
Let's check the result of tlink setup, and do some cleanup.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability described in CVE-2022-49822 represents a critical resource management flaw within the Linux kernel's CIFS (Common Internet File System) implementation. This issue specifically affects the cifsd kernel module which handles SMB/CIFS file sharing operations. The vulnerability manifests as a resource leak that occurs during the establishment of tlink (transport link) connections, which are fundamental components for maintaining network connections between client and server in CIFS operations. The flaw creates a scenario where kernel resources become permanently allocated and unreleased when connection setup fails, leading to systematic degradation of system performance and potential denial of service conditions.
The technical root cause of this vulnerability lies in the improper handling of error conditions during tlink setup operations within the CIFS subsystem. When the tlink setup process encounters a failure, the kernel code fails to execute proper cleanup routines that would normally release allocated resources including module reference counts and fscache information. This failure results in a module reference count leak that prevents the cifsd kernel thread from properly terminating, effectively creating a zombie-like state where resources remain allocated indefinitely. The issue is particularly concerning because it operates at the kernel level where resource leaks can have cascading effects on system stability and performance.
The operational impact of this vulnerability extends beyond simple resource consumption to include functional degradation of CIFS services. The persistent connection leaks prevent proper cleanup of fscache information, which creates a state where subsequent mount operations attempt to reuse cache keys that are already in use. This results in the specific error message "CIFS: Cache volume key already in use" that indicates the system's inability to properly manage cache resources. The leak affects both the kernel module lifecycle management and the caching subsystem, potentially leading to service unavailability, increased memory consumption, and degraded network performance. Attackers could exploit this vulnerability to cause resource exhaustion on systems running CIFS services, leading to denial of service conditions that impact legitimate users.
The vulnerability aligns with CWE-404, which describes improper resource release or unbounded resource consumption, and demonstrates characteristics consistent with the ATT&CK technique T1499.004 for resource exhaustion. The proper mitigation requires implementing comprehensive error handling that ensures cleanup operations execute regardless of whether tlink setup succeeds or fails. This includes verifying the tlink setup result before proceeding with connection establishment, executing explicit cleanup routines for both module reference counts and fscache information, and ensuring that kernel threads properly terminate when connection setup fails. System administrators should prioritize applying kernel patches that address this specific resource management flaw, while also implementing monitoring solutions to detect potential resource leak conditions in production environments. The fix should include robust error checking and cleanup procedures that prevent the accumulation of orphaned resources in the kernel's CIFS subsystem, thereby maintaining system stability and preventing the escalation of resource exhaustion conditions that could impact broader network services.