CVE-2022-50243 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
sctp: handle the error returned from sctp_auth_asoc_init_active_key
When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline]
sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability identified as CVE-2022-50243 represents a critical use-after-free condition within the Linux kernel's Stream Control Transmission Protocol implementation. This flaw exists in the SCTP authentication subsystem where proper error handling fails to prevent memory corruption during active key updates. The issue manifests when sctp_auth_asoc_init_active_key() returns an error during the authentication key initialization process, but the system continues to operate with stale references to memory that has already been freed.
The technical root cause stems from improper state management in the SCTP authentication framework where error conditions are not adequately handled during key replacement operations. When sctp_auth_asoc_init_active_key() fails, the system attempts to free the existing sh_key structure while simultaneously allowing the old key to remain referenced as the active key in the association context. This creates a scenario where memory that has been deallocated is still being accessed during packet transmission operations, leading to undefined behavior and potential exploitation opportunities.
The operational impact of this vulnerability extends beyond simple system instability to potential security compromises within network communications. The use-after-free condition can be triggered during normal packet sending operations through the sctp_sendmsg_to_asoc function path, making it particularly dangerous as it can be exploited by remote attackers to execute arbitrary code or cause system crashes. The attack vector leverages legitimate SCTP communication channels, making detection and prevention challenging. This vulnerability directly maps to CWE-416, representing an explicit use-after-free error condition that occurs when memory is freed and then accessed.
The exploitation pathway follows a well-defined sequence where syzbot identified the exact function calls leading to memory corruption, starting with sctp_auth_shkey_hold() accessing freed memory, followed by sctp_set_owner_w() and ultimately sctp_sendmsg_to_asoc() attempting to send packets with corrupted authentication state. The fix implemented addresses this by preventing the replacement of sh_key structures when sctp_auth_asoc_init_active_key() returns errors, ensuring that stale references are not established. Additionally, the patch implements proper rollback mechanisms for sctp_auth_set_active_key() to restore the previous active_key_id when errors occur, maintaining system consistency.
Security implications of CVE-2022-50243 align with ATT&CK technique T1059.007 for command and scripting interpreter, as the vulnerability could enable attackers to execute arbitrary code through crafted SCTP packets. The vulnerability affects systems running Linux kernels with SCTP support and impacts network services that rely on SCTP authentication for security. Organizations should prioritize patching this vulnerability as it represents a potential path to privilege escalation or denial of service attacks. The fix demonstrates proper error handling practices that should be applied across similar authentication subsystems within kernel networking components, ensuring that memory management operations maintain referential integrity even under error conditions.