CVE-2022-49958 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix netdevice reference leaks in attach_default_qdiscs()
In attach_default_qdiscs(), if a dev has multiple queues and queue 0 fails to attach qdisc because there is no memory in attach_one_default_qdisc(). Then dev->qdisc will be noop_qdisc by default. But the other queues may be able to successfully attach to default qdisc.
In this case, the fallback to noqueue process will be triggered. If the original attached qdisc is not released and a new one is directly attached, this will cause netdevice reference leaks.
The following is the bug log:
veth0: default qdisc (fq_codel) fail, fallback to noqueue unregister_netdevice: waiting for veth0 to become free. Usage count = 32 leaked reference. qdisc_alloc+0x12e/0x210 qdisc_create_dflt+0x62/0x140 attach_one_default_qdisc.constprop.41+0x44/0x70 dev_activate+0x128/0x290 __dev_open+0x12a/0x190 __dev_change_flags+0x1a2/0x1f0 dev_change_flags+0x23/0x60 do_setlink+0x332/0x1150 __rtnl_newlink+0x52f/0x8e0 rtnl_newlink+0x43/0x70 rtnetlink_rcv_msg+0x140/0x3b0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1bb/0x290 netlink_sendmsg+0x37c/0x4e0 sock_sendmsg+0x5f/0x70 ____sys_sendmsg+0x208/0x280
Fix this bug by clearing any non-noop qdiscs that may have been assigned before trying to re-attach.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability described in CVE-2022-49958 resides within the Linux kernel's networking subsystem, specifically in the traffic control implementation responsible for managing packet scheduling queues. This issue manifests in the net/sched component where the attach_default_qdiscs() function fails to properly handle memory allocation failures during queue disc attachment operations. The flaw creates a scenario where network device reference leaks occur due to improper cleanup of previously attached queue disc structures, leading to resource exhaustion and potential system instability. The vulnerability impacts the kernel's ability to correctly manage network interface queue disciplines, particularly when dealing with multi-queue network devices where individual queue attachments may succeed or fail independently.
The technical root cause of this vulnerability stems from inadequate error handling within the queue disc attachment process. When a network device with multiple queues attempts to attach default queue disc structures, the system may successfully attach to some queues while failing on others due to memory constraints. In such cases, the function defaults to a noop_qdisc for queue 0 but fails to properly clean up previously allocated qdisc structures for other queues. This creates a memory management inconsistency where references to queue disc objects remain in memory even though the network device is being torn down, resulting in the characteristic "leaked reference" error message. The specific failure path involves the attach_one_default_qdisc function returning without proper cleanup, causing subsequent attachment attempts to reference already allocated but improperly managed structures.
The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system stability and resource availability. When network devices are repeatedly activated and deactivated, the accumulated reference leaks can exhaust available kernel memory resources, leading to system performance degradation or even kernel panic conditions. The vulnerability particularly affects virtual ethernet interfaces (veth) where the fallback to noqueue qdisc is triggered, as demonstrated in the bug log showing veth0 interface failures. This creates a scenario where the system cannot properly release network device references, causing the "waiting for veth0 to become free" message that indicates the kernel is unable to clean up resources associated with the network interface. The leaked reference count of 32 in the example demonstrates the severity of resource accumulation that can occur under sustained load conditions.
The fix for this vulnerability implements a critical cleanup mechanism that ensures any non-noop queue disc structures that may have been partially attached are properly cleared before attempting new attachment operations. This approach directly addresses the root cause by preventing the accumulation of improperly managed references through the explicit clearing of existing qdisc allocations before new ones are attached. The solution aligns with established kernel memory management best practices and follows the principle of proper resource cleanup in error conditions. This remediation prevents the scenario where multiple qdisc structures remain allocated while the network device is being torn down, thereby eliminating the reference leak that was causing the system to wait for resources that would never be properly released. The fix essentially implements a defensive programming approach that ensures proper state management regardless of whether individual queue attachment operations succeed or fail.
This vulnerability demonstrates characteristics consistent with CWE-404, which describes improper resource management, and relates to ATT&CK technique T1490, specifically resource exhaustion attacks. The flaw represents a classic case of memory leak in kernel space that could be exploited by malicious actors to consume system resources over time, potentially leading to denial of service conditions. The issue highlights the importance of proper error handling and resource cleanup in kernel subsystems where memory management is critical for system stability. The fix demonstrates the necessity of maintaining consistent state management and proper reference counting in kernel networking components, particularly when dealing with complex multi-threaded operations involving network device activation and deactivation sequences.