CVE-2022-49838 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
sctp: clear out_curr if all frag chunks of current msg are pruned
A crash was reported by Zhen Chen:
list_del corruption, ffffa035ddf01c18->next is NULL WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0 RIP: 0010:__list_del_entry_valid+0x59/0xe0 Call Trace: sctp_sched_dequeue_common+0x17/0x70 [sctp]
sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
sctp_outq_flush_data+0x85/0x360 [sctp]
sctp_outq_uncork+0x77/0xa0 [sctp]
sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]
sctp_side_effects+0x37/0xe0 [sctp]
sctp_do_sm+0xd0/0x230 [sctp]
sctp_primitive_SEND+0x2f/0x40 [sctp]
sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]
sctp_sendmsg+0x3d5/0x440 [sctp]
sock_sendmsg+0x5b/0x70
and in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream out_curr outq while this outq was empty.
Normally stream->out_curr must be set to NULL once all frag chunks of current msg are dequeued, as we can see in sctp_sched_dequeue_done(). However, in sctp_prsctp_prune_unsent() as it is not a proper dequeue, sctp_sched_dequeue_done() is not called to do this.
This patch is to fix it by simply setting out_curr to NULL when the last frag chunk of current msg is dequeued from out_curr stream in sctp_prsctp_prune_unsent().
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability CVE-2022-49838 represents a critical memory corruption issue within the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation that stems from improper handling of out-of-order message fragments during pruning operations. This flaw manifests as a list corruption condition that can lead to system crashes and potential denial of service scenarios. The issue occurs specifically within the sctp_prsctp_prune_unsent() function where the out_curr pointer is not properly cleared when all fragment chunks of the current message have been removed from the stream's output queue. The vulnerability directly impacts the SCTP scheduling mechanism that manages how data chunks are transmitted over the network, creating a dangerous state where the system attempts to access freed memory locations.
The technical root cause of this vulnerability lies in the improper synchronization between fragment chunk management and stream state tracking within the SCTP subsystem. When sctp_prsctp_prune_unsent() processes unsent message fragments, it removes chunks from the outq without invoking the standard sctp_sched_dequeue_done() cleanup function that would normally set stream->out_curr to NULL. This creates a scenario where the out_curr pointer continues to reference a memory location that no longer contains valid data, leading to the list corruption observed in the kernel crash dump. The crash trace shows the system attempting to traverse a corrupted list structure where the next pointer is NULL, indicating that the list integrity has been compromised due to the dangling pointer reference.
From an operational perspective, this vulnerability presents a significant risk to systems relying on SCTP for network communications, particularly in environments where high availability and system stability are critical. The crash condition can be triggered through specific SCTP message transmission patterns involving fragmented data, potentially allowing malicious actors to cause system instability or perform denial of service attacks. The vulnerability is classified under CWE-121 as a buffer overflow condition that occurs when a pointer is not properly cleared after memory deallocation, and it aligns with ATT&CK technique T1499.004 for network denial of service through system resource exhaustion. The flaw affects the kernel's ability to maintain proper state management for SCTP streams, which can result in cascading failures throughout the network stack.
Mitigation strategies for CVE-2022-49838 involve applying the kernel patch that ensures proper clearing of the out_curr pointer when all fragment chunks of a message are pruned from the stream's output queue. System administrators should prioritize updating their Linux kernel versions to include this fix, particularly in production environments where SCTP is actively used for communication. The patch implements a simple but critical change that mirrors the behavior of the standard dequeue completion function, ensuring that the out_curr pointer is properly set to NULL when the last fragment chunk is removed from the stream's output queue. Organizations should also implement monitoring for unusual SCTP-related kernel crashes or memory corruption patterns that might indicate exploitation attempts, and consider implementing additional network segmentation measures to limit the potential impact of such vulnerabilities in their infrastructure.