{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49669","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:21:30.436Z","datePublished":"2025-02-26T02:24:03.290Z","dateUpdated":"2025-05-04T08:42:57.290Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:42:57.290Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race on unaccepted mptcp sockets\n\nWhen the listener socket owning the relevant request is closed,\nit frees the unaccepted subflows and that causes later deletion\nof the paired MPTCP sockets.\n\nThe mptcp socket's worker can run in the time interval between such delete\noperations. When that happens, any access to msk->first will cause an UaF\naccess, as the subflow cleanup did not cleared such field in the mptcp\nsocket.\n\nAddress the issue explicitly traversing the listener socket accept\nqueue at close time and performing the needed cleanup on the pending\nmsk.\n\nNote that the locking is a bit tricky, as we need to acquire the msk\nsocket lock, while still owning the subflow socket one."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"86e39e04482b0aadf3ee3ed5fcf2d63816559d36","lessThan":"a8a3e95c74e48c2c9b07b81fafda9122993f2e12","status":"affected","versionType":"git"},{"version":"86e39e04482b0aadf3ee3ed5fcf2d63816559d36","lessThan":"6aeed9045071f2252ff4e98fc13d1e304f33e5b0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"5.17","status":"affected"},{"version":"0","lessThan":"5.17","status":"unaffected","versionType":"semver"},{"version":"5.18.10","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a8a3e95c74e48c2c9b07b81fafda9122993f2e12"},{"url":"https://git.kernel.org/stable/c/6aeed9045071f2252ff4e98fc13d1e304f33e5b0"}],"title":"mptcp: fix race on unaccepted mptcp sockets","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49669","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T17:58:23.864289Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:02:28.430Z"}}]}}