CVE-2022-49871 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: tun: Fix memory leaks of napi_get_frags

kmemleak reports after running test_progs:

unreferenced object 0xffff8881b1672dc0 (size 232): comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s) hex dump (first 32 bytes): e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace: [] napi_skb_cache_get+0xd4/0x150
[] __napi_build_skb+0x15/0x50
[] __napi_alloc_skb+0x26e/0x540
[] napi_get_frags+0x59/0x140
[] tun_get_user+0x183d/0x3bb0 [tun]
[] tun_chr_write_iter+0xc0/0x1b1 [tun]
[] do_iter_readv_writev+0x19f/0x320
[] do_iter_write+0x135/0x630
[] vfs_writev+0x12e/0x440
[] do_writev+0x104/0x280
[] do_syscall_64+0x3b/0x90
[] entry_SYSCALL_64_after_hwframe+0x63/0xcd

The issue occurs in the following scenarios: tun_get_user() napi_gro_frags() napi_frags_finish() case GRO_NORMAL: gro_normal_one() list_add_tail(&skb->list, &napi->rx_list); rx_count < READ_ONCE(gro_normal_batch), rx_list is not empty <-- not ask to complete the gro work, will cause memory leaks in <-- following tun_napi_del() ... tun_napi_del() netif_napi_del() __netif_napi_del() rx_list is not empty, which caused memory leaks

To fix, add napi_complete() after napi_gro_frags().

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/28/2025

The vulnerability identified as CVE-2022-49871 resides within the Linux kernel's TUN network driver implementation, specifically affecting the handling of packet processing through the NAPI (Network API) framework. This memory leak occurs during the processing of network packets when the TUN device interface is utilized, creating a scenario where allocated memory structures remain unreferenced and unreclaimed by the kernel's memory management system. The issue manifests through kmemleak detection tools, which identify unreferenced objects that persist in memory for extended periods, indicating a failure in proper resource cleanup within the network packet processing pipeline.

The technical flaw stems from improper handling of the Generic Receive Offload (GRO) mechanism within the TUN driver's packet processing flow. When packets are processed through the tun_get_user function, they traverse through napi_gro_frags and subsequently napi_frags_finish, where the GRO_NORMAL case is handled without proper completion of the NAPI work. The condition rx_count < READ_ONCE(gro_normal_batch) prevents the system from calling napi_complete(), which is essential for completing the NAPI processing cycle and ensuring that all pending work is properly flushed and cleaned up. This omission results in the napi->rx_list remaining populated with skb (socket buffer) structures that are never freed, leading to a gradual accumulation of memory leaks over time.

The operational impact of this vulnerability extends beyond simple memory consumption, as it can lead to progressive system degradation and potential denial of service conditions. When the TUN device is actively used for packet forwarding or virtual network interface operations, the memory leaks compound with each packet processed, eventually consuming significant portions of available system memory. This behavior particularly affects systems running network-intensive applications that rely heavily on TUN interfaces, such as virtualization platforms, VPN solutions, or network monitoring tools. The vulnerability is particularly concerning in long-running systems where the memory leak accumulates continuously, potentially leading to system instability or resource exhaustion that could compromise the availability of network services.

The fix for CVE-2022-49871 implements a straightforward but critical change by adding napi_complete() call immediately after napi_gro_frags() within the packet processing flow. This ensures that the NAPI completion mechanism is properly invoked even when GRO_NORMAL processing does not trigger a full work completion cycle. This remediation aligns with standard kernel memory management practices and follows the established pattern for NAPI framework usage, where napi_complete() must be called to signal that all pending work has been processed and resources can be safely reclaimed. The solution addresses the root cause by ensuring proper synchronization and resource cleanup within the NAPI processing pipeline, preventing the accumulation of unreferenced socket buffers that were previously left in the rx_list structure.

This vulnerability demonstrates a classic example of improper resource management in kernel networking code and relates to CWE-401 (Improper Release of Memory Before Explicit Re-Release) and CWE-772 (Missing Release of Resource after Effective Lifetime). The attack surface is primarily relevant to systems utilizing TUN network interfaces, with particular risk to virtualization environments and network security appliances that heavily depend on these interfaces. The ATT&CK framework categorizes this vulnerability under T1499.004 (Endpoint Denial of Service) as it can be exploited to consume system resources and potentially cause service disruption. The fix represents a defensive programming approach that ensures proper state management within the NAPI framework, maintaining the integrity of the kernel's memory management system and preventing the accumulation of leaked resources that could be leveraged for resource exhaustion attacks.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00184

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!