CVE-2022-49921 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: sched: Fix use after free in red_enqueue()

We can't use "skb" again after passing it to qdisc_enqueue(). This is basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb len before calling child enqueue").

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability identified as CVE-2022-49921 represents a critical use-after-free condition within the Linux kernel's networking subsystem, specifically affecting the traffic control scheduling framework. This flaw exists in the red_enqueue() function which is part of the kernel's packet scheduling mechanisms designed to manage network traffic queues. The issue occurs when a socket buffer skb is passed to the qdisc_enqueue() function, creating a scenario where the same memory reference is accessed after it has been freed or invalidated, leading to potential system instability or exploitation opportunities.

The technical root cause of this vulnerability stems from improper memory management practices within the traffic control subsystem where the kernel fails to properly handle the lifecycle of socket buffer structures after they have been enqueued. When an skb is passed to qdisc_enqueue(), the function processes it and may free the memory associated with that buffer, but subsequent code paths attempt to reference the same skb structure, creating a classic use-after-free scenario. This pattern is particularly dangerous because it can allow attackers to manipulate memory contents or trigger arbitrary code execution through carefully crafted network packets that exploit this timing race condition.

The operational impact of CVE-2022-49921 extends beyond simple system crashes, potentially enabling privilege escalation and denial-of-service conditions across affected Linux systems. Systems running kernel versions containing this vulnerability are at risk of exploitation by malicious actors who can craft network traffic to trigger the use-after-free condition, leading to kernel memory corruption that may result in system panics, reboot cycles, or more severe security implications. The vulnerability affects all systems using the Linux kernel's traffic control mechanisms, particularly those implementing RED (Random Early Detection) queue management algorithms.

Mitigation strategies for this vulnerability require immediate kernel updates to versions containing the fix, which addresses the specific memory management issue in the red_enqueue() function. System administrators should prioritize patching affected systems, as the vulnerability can be exploited remotely through network traffic without requiring authentication. Additionally, network administrators should consider implementing traffic filtering rules to limit exposure, though this represents only a partial workaround since the vulnerability exists within core kernel networking components. Organizations should also monitor for exploitation attempts through network intrusion detection systems and ensure proper kernel version management across all production environments to prevent potential compromise of network infrastructure.

This vulnerability aligns with CWE-416, which describes the use of freed memory condition, and maps to ATT&CK technique T1059 for privilege escalation through kernel exploitation. The fix implemented in the kernel addresses the specific memory management flaw by ensuring proper handling of socket buffer lifecycles, similar to other fixes in the same codebase such as commit 2f09707d0c97 that established proper skb length storage before calling child enqueue operations. The resolution demonstrates the importance of careful memory management in kernel space where improper handling can lead to severe security implications affecting the entire system integrity and network operations.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00159

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!