CVE-2022-49905 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net/smc: Fix possible leaked pernet namespace in smc_init()

In smc_init(), register_pernet_subsys(&smc_net_stat_ops) is called without any error handling. If it fails, registering of &smc_net_ops won't be reverted. And if smc_nl_init() fails, &smc_net_stat_ops itself won't be reverted.

This leaves wild ops in subsystem linkedlist and when another module tries to call register_pernet_operations() it triggers page fault:

BUG: unable to handle page fault for address: fffffbfff81b964c RIP: 0010:register_pernet_operations+0x1b9/0x5f0 Call Trace: <TASK> register_pernet_subsys+0x29/0x40 ebtables_init+0x58/0x1000 [ebtables]
...

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability described in CVE-2022-49905 represents a critical resource management flaw within the Linux kernel's Scalable Matrix Communication (SMC) subsystem. This issue manifests as a potential memory leak and subsystem corruption that occurs during the initialization process of the SMC networking module. The flaw specifically affects the pernet namespace management mechanism, where proper error handling is missing during the registration sequence of network operations. When the kernel attempts to initialize the SMC subsystem through the smc_init() function, it calls register_pernet_subsys(&smc_net_stat_ops) without implementing adequate error checking procedures. This oversight creates a scenario where if any of the registration processes fail, the system fails to properly clean up previously registered components, leading to a state where residual operations remain in the subsystem linked list.

The technical implementation of this vulnerability stems from the improper handling of the registration lifecycle within the kernel's networking subsystem. The SMC subsystem maintains a series of operations that must be properly registered and unregistered to maintain system stability. When register_pernet_subsys() fails to register the &smc_net_stat_ops structure, the system does not execute the necessary rollback procedures to undo the registration of &smc_net_ops. Additionally, if smc_nl_init() fails during the initialization sequence, the &smc_net_stat_ops structure itself is not properly reverted, leaving dangling references in the kernel's operational lists. This creates a state where the kernel's subsystem management becomes corrupted, as the linked list structure contains references to operations that should have been cleanly removed from the system.

The operational impact of this vulnerability is severe and can result in system instability and potential kernel panics. When another module attempts to call register_pernet_operations() after this corrupted state has been established, the kernel encounters a page fault at address 0xfffffbf0081b964c. This page fault occurs during the execution of register_pernet_operations+0x1b9/0x5f0, which indicates that the kernel is attempting to access memory locations that are no longer valid due to the corrupted subsystem linked list. The call trace demonstrates how this vulnerability can be triggered by seemingly innocuous operations such as ebtables_init, which attempts to register its own pernet operations after the SMC subsystem has already corrupted the global operation list. This type of vulnerability directly maps to CWE-457: Use of Uninitialized Variable and CWE-755: Improper Handling of Exceptional Conditions, as it involves improper handling of error conditions during kernel initialization.

The remediation approach for this vulnerability requires implementing comprehensive error handling within the smc_init() function to ensure proper rollback mechanisms are executed when registration operations fail. This involves adding conditional checks after each registration call to verify that operations were successfully completed before proceeding to the next step. The kernel must implement a systematic approach to cleaning up partially initialized subsystems, ensuring that if register_pernet_subsys() fails, any previously registered components are properly unregistered through corresponding cleanup functions. Additionally, the system should maintain proper state tracking to prevent the accumulation of orphaned operations in the subsystem linked list. This type of vulnerability mitigation aligns with the ATT&CK technique T1068: Exploitation for Privilege Escalation, as it addresses a foundational kernel flaw that could potentially be exploited by attackers to gain elevated privileges through system instability or memory corruption. The fix should also consider implementing more robust error recovery mechanisms that prevent partial initialization states from persisting in the kernel's operational environment.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!