{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49775","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:17:33.805Z","datePublished":"2025-05-01T14:09:11.827Z","dateUpdated":"2026-05-11T19:06:32.547Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:06:32.547Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: cdg: allow tcp_cdg_release() to be called multiple times\n\nApparently, mptcp is able to call tcp_disconnect() on an already\ndisconnected flow. This is generally fine, unless current congestion\ncontrol is CDG, because it might trigger a double-free [1]\n\nInstead of fixing MPTCP, and future bugs, we can make tcp_disconnect()\nmore resilient.\n\n[1]\nBUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]\nBUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567\n\nCPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: events mptcp_worker\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x719 mm/kasan/report.c:433\nkasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462\n____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145\n__mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327\nmptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]\nmptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627\nprocess_one_work+0x991/0x1610 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n</TASK>\n\nAllocated by task 3671:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track mm/kasan/common.c:45 [inline]\nset_alloc_info mm/kasan/common.c:437 [inline]\n____kasan_kmalloc mm/kasan/common.c:516 [inline]\n____kasan_kmalloc mm/kasan/common.c:475 [inline]\n__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525\nkmalloc_array include/linux/slab.h:640 [inline]\nkcalloc include/linux/slab.h:671 [inline]\ntcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380\ntcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193\ntcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]\ntcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391\ndo_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513\ntcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801\nmptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844\n__sys_setsockopt+0x2d6/0x690 net/socket.c:2252\n__do_sys_setsockopt net/socket.c:2263 [inline]\n__se_sys_setsockopt net/socket.c:2260 [inline]\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2260\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 16:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track+0x21/0x30 mm/kasan/common.c:45\nkasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\n____kasan_slab_free mm/kasan/common.c:367 [inline]\n____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226\ntcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254\ntcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969\ninet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157\ntcp_done+0x23b/0x340 net/ipv4/tcp.c:4649\ntcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624\ntcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525\ntcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759\nip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439\nip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484\nNF_HOOK include/linux/netfilter.h:302 [inline]\nNF_HOOK include/linux/netfilter.h:296 [inline]\nip6_input+0x9c/0xd\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_cdg.c"],"versions":[{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"0b19171439016a8e4c97eafe543670ac86e2b8fe","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"4026033907cc6186d86b48daa4a252c860db2536","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"9e481d87349d2282f400ee1d010a169c99f766b8","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"78be2ee0112409ae4e9ee9e326151e0559b3d239","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"35309be06b6feded2ab2cafbc2bca8534c2fa41e","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"b49026d9c86f35a4c5bfb8d7345c9c4379828c6b","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"1b639be27cbf428a5ca01dcf8b5d654194c956f8","status":"affected","versionType":"git"},{"version":"2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e","lessThan":"72e560cb8c6f80fc2b4afc5d3634a32465e13a51","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_cdg.c"],"versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","status":"unaffected","versionType":"semver"},{"version":"4.9.334","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.300","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.267","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.225","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.156","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.80","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.9.334"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.14.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.19.267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.4.225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.10.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.15.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0b19171439016a8e4c97eafe543670ac86e2b8fe"},{"url":"https://git.kernel.org/stable/c/4026033907cc6186d86b48daa4a252c860db2536"},{"url":"https://git.kernel.org/stable/c/9e481d87349d2282f400ee1d010a169c99f766b8"},{"url":"https://git.kernel.org/stable/c/78be2ee0112409ae4e9ee9e326151e0559b3d239"},{"url":"https://git.kernel.org/stable/c/35309be06b6feded2ab2cafbc2bca8534c2fa41e"},{"url":"https://git.kernel.org/stable/c/b49026d9c86f35a4c5bfb8d7345c9c4379828c6b"},{"url":"https://git.kernel.org/stable/c/1b639be27cbf428a5ca01dcf8b5d654194c956f8"},{"url":"https://git.kernel.org/stable/c/72e560cb8c6f80fc2b4afc5d3634a32465e13a51"}],"title":"tcp: cdg: allow tcp_cdg_release() to be called multiple times","x_generator":{"engine":"bippy-1.2.0"}}}}