CVE-2022-49957 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
kcm: fix strp_init() order and cleanup
strp_init() is called just a few lines above this csk->sk_user_data check, it also initializes strp->work etc., therefore, it is unnecessary to call strp_done() to cancel the freshly initialized work.
And if sk_user_data is already used by KCM, psock->strp should not be touched, particularly strp->work state, so we need to move strp_init() after the csk->sk_user_data check.
This also makes a lockdep warning reported by syzbot go away.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability identified as CVE-2022-49957 resides within the Linux kernel's implementation of the kernel connection multiplexer KCM subsystem, specifically affecting the strp_init() function execution order and cleanup procedures. This issue demonstrates a classic race condition and improper state management problem that can lead to system instability and potential security implications. The flaw occurs in the kernel's networking stack where the sequence of operations during socket initialization creates a scenario where cleanup functions are unnecessarily invoked, potentially leading to resource management issues. The vulnerability is particularly concerning as it affects the core kernel networking infrastructure that handles connection multiplexing operations.
The technical root cause involves a problematic ordering of function calls within the kernel's socket management code where strp_init() is executed before the necessary checks for existing socket user data. This improper sequence results in the initialization of strp->work structures followed by an unnecessary call to strp_done() to cancel the work that was just initialized. The kernel's connection multiplexer subsystem maintains state information through the socket's sk_user_data field, which serves as a pointer to the kernel connection multiplexer structure. When the system attempts to initialize a new connection multiplexer structure, it fails to properly account for the case where sk_user_data might already contain valid data from an existing KCM connection, leading to inconsistent state management.
The operational impact of this vulnerability extends beyond simple resource cleanup issues to potentially affect the stability of network operations within the kernel. When syzbot, a kernel fuzzer, reports lockdep warnings related to this issue, it indicates that the improper function ordering can create deadlock scenarios or race conditions that might be exploitable under certain conditions. The fix addresses this by reordering the function calls to ensure that the csk->sk_user_data check occurs before strp_init() execution, preventing the premature initialization of work structures that would then require immediate cleanup. This change aligns with best practices for kernel development and follows the principles outlined in the Linux kernel's locking guidelines and concurrency control mechanisms.
The mitigation strategy implemented in this fix directly addresses a common pattern of improper state management that could lead to resource leaks or inconsistent kernel states. By moving strp_init() after the csk->sk_user_data check, the kernel ensures that existing connection multiplexer structures are not inadvertently modified or corrupted during initialization. This approach prevents the scenario where a newly initialized work structure would immediately require cancellation, which could lead to double-free conditions or other memory management issues. The fix also resolves the lockdep warnings that indicate potential deadlock scenarios, demonstrating the importance of proper ordering in concurrent kernel operations. This vulnerability exemplifies the types of issues commonly addressed in the CWE (Common Weakness Enumeration) catalog under categories related to improper initialization and resource management, and it aligns with ATT&CK tactics related to privilege escalation and system stability compromise through kernel-level vulnerabilities. The corrected implementation ensures that the kernel maintains consistent state information throughout the connection multiplexer initialization process, thereby preserving the integrity of network operations and preventing potential exploitation scenarios that could arise from improper resource handling.