Linux Kernel up to 5.4.201/5.10.126/5.15.50/5.18.7 sk_to_full_sk reference count
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as critical has been discovered in Linux Kernel up to 5.4.201/5.10.126/5.15.50/5.18.7. Affected by this issue is the function sk_to_full_sk. Executing a manipulation can lead to reference count.
This vulnerability appears as CVE-2022-49697. There is no available exploit.
It is advisable to upgrade the affected component.
Details
A vulnerability classified as critical was found in Linux Kernel up to 5.4.201/5.10.126/5.15.50/5.18.7. This vulnerability affects the function sk_to_full_sk. The manipulation with an unknown input leads to a reference count vulnerability. The CWE definition for the vulnerability is CWE-911. The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. As an impact it is known to affect availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix request_sock leak in sk lookup helpers A customer reported a request_socket leak in a Calico cloud environment. We found that a BPF program was doing a socket lookup with takes a refcnt on the socket and that it was finding the request_socket but returning the parent LISTEN socket via sk_to_full_sk() without decrementing the child request socket 1st, resulting in request_sock slab object leak. This patch retains the existing behaviour of returning full socks to the caller but it also decrements the child request_socket if one is present before doing so to prevent the leak. Thanks to Curtis Taylor for all the help in diagnosing and testing this. And thanks to Antoine Tenart for the reproducer and patch input. v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to validate RCU flags on the listen socket so that it balances with bpf_sk_release() and update comments as per Martin KaFai Lau's suggestion. One small change to Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra instruction.
The advisory is available at git.kernel.org. This vulnerability was named CVE-2022-49697 since 02/26/2025. Technical details are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 241018 (EulerOS 2.0 SP13 : kernel (EulerOS-SA-2025-1704)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 5.4.202, 5.10.127, 5.15.51 or 5.18.8 eliminates this vulnerability. Applying the patch 8ffe2e50e9678c8373027492035f094b130437f1/516760f1d2979903eaad5b437256913c5cd98416/b03607437ea81b850599f705096b05b85e7a4a71/5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd/3046a827316c0e55fc563b4fb78c93b9ca5c7c37 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (241018). If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
- 5.4.201
- 5.10.126
- 5.15.0
- 5.15.1
- 5.15.2
- 5.15.3
- 5.15.4
- 5.15.5
- 5.15.6
- 5.15.7
- 5.15.8
- 5.15.9
- 5.15.10
- 5.15.11
- 5.15.12
- 5.15.13
- 5.15.14
- 5.15.15
- 5.15.16
- 5.15.17
- 5.15.18
- 5.15.19
- 5.15.20
- 5.15.21
- 5.15.22
- 5.15.23
- 5.15.24
- 5.15.25
- 5.15.26
- 5.15.27
- 5.15.28
- 5.15.29
- 5.15.30
- 5.15.31
- 5.15.32
- 5.15.33
- 5.15.34
- 5.15.35
- 5.15.36
- 5.15.37
- 5.15.38
- 5.15.39
- 5.15.40
- 5.15.41
- 5.15.42
- 5.15.43
- 5.15.44
- 5.15.45
- 5.15.46
- 5.15.47
- 5.15.48
- 5.15.49
- 5.15.50
- 5.18.0
- 5.18.1
- 5.18.2
- 5.18.3
- 5.18.4
- 5.18.5
- 5.18.6
- 5.18.7
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.6VulDB Meta Temp Score: 5.5
VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Reference countCWE: CWE-911 / CWE-664
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 241018
Nessus Name: EulerOS 2.0 SP13 : kernel (EulerOS-SA-2025-1704)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 5.4.202/5.10.127/5.15.51/5.18.8
Patch: 8ffe2e50e9678c8373027492035f094b130437f1/516760f1d2979903eaad5b437256913c5cd98416/b03607437ea81b850599f705096b05b85e7a4a71/5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd/3046a827316c0e55fc563b4fb78c93b9ca5c7c37
Timeline
02/26/2025 🔍02/26/2025 🔍
02/26/2025 🔍
10/24/2025 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2022-49697 (🔍)
GCVE (CVE): GCVE-0-2022-49697
GCVE (VulDB): GCVE-100-297298
Entry
Created: 02/26/2025 11:04Updated: 10/24/2025 20:33
Changes: 02/26/2025 11:04 (58), 07/01/2025 17:47 (2), 10/24/2025 20:33 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.