CVE-2022-50865 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability identified as CVE-2022-50865 represents a critical signed-integer-overflow condition within the Linux kernel's TCP implementation that specifically affects the tcp_add_backlog() function. This flaw exists in the network stack's handling of socket buffer management where the calculation of buffer limits can result in integer overflow, potentially leading to unpredictable behavior and system instability. The issue stems from the fundamental data type limitations within the kernel's networking subsystem where socket receive and send buffer sizes are defined as signed 32-bit integers, creating a scenario where arithmetic operations can exceed the maximum representable value for the int data type.
The technical flaw manifests when the tcp_add_backlog() function computes a limit value by summing the socket's receive buffer size (sk_rcvbuf), send buffer size (sk_sndbuf), and a fixed buffer of 64 kilobytes. When these buffer values approach or exceed the maximum signed integer limit of 2,147,483,647 bytes, the addition operation results in a wraparound effect where the calculated value becomes negative or significantly reduced, thereby corrupting the buffer management logic. This overflow condition directly impacts the kernel's ability to properly manage TCP packet backlog and can lead to memory corruption, denial of service conditions, or potentially exploitable states where malicious actors might manipulate network traffic to trigger the overflow scenario.
From an operational perspective, this vulnerability poses significant risks to systems running Linux kernels where TCP networking is heavily utilized, particularly in high-throughput environments, web servers, database systems, and network infrastructure components. The impact extends beyond simple service disruption as the integer overflow can cause the kernel to make incorrect decisions about buffer allocation and packet handling, potentially leading to memory corruption that might be exploitable under certain conditions. The vulnerability is particularly concerning because it operates at the kernel level where any buffer management error can result in system crashes, data loss, or in worst-case scenarios, privilege escalation opportunities that align with ATT&CK technique T1068 for local privilege escalation through kernel vulnerabilities.
The mitigation strategy implemented in the patch addresses this issue by reducing the buffer limit calculation budget through halving the send buffer contribution to the overall limit calculation. This approach acknowledges that acknowledgment packets, which represent the primary traffic type processed through this function, are significantly smaller than payload data packets and therefore do not require the full send buffer allocation for backlog management. The solution aligns with CWE-191, which specifically addresses signed integer underflow and overflow conditions, and represents a defensive programming approach that reduces the attack surface by limiting the arithmetic operations that could lead to overflow conditions. This remediation effectively prevents the integer overflow while maintaining functional integrity of the TCP backlog handling mechanism, ensuring that the kernel's network stack operates reliably under normal and potentially stressed network conditions. The fix demonstrates the importance of proper integer overflow protection in kernel code and reinforces the need for comprehensive input validation and boundary checking in system-level programming.