{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49814","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.226Z","datePublished":"2025-05-01T14:09:38.389Z","dateUpdated":"2026-05-11T19:07:18.427Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:18.427Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: close race conditions on sk_receive_queue\n\nsk->sk_receive_queue is protected by skb queue lock, but for KCM\nsockets its RX path takes mux->rx_lock to protect more than just\nskb queue. However, kcm_recvmsg() still only grabs the skb queue\nlock, so race conditions still exist.\n\nWe can teach kcm_recvmsg() to grab mux->rx_lock too but this would\nintroduce a potential performance regression as struct kcm_mux can\nbe shared by multiple KCM sockets.\n\nSo we have to enforce skb queue lock in requeue_rx_msgs() and handle\nskb peek case carefully in kcm_wait_data(). Fortunately,\nskb_recv_datagram() already handles it nicely and is widely used by\nother sockets, we can just switch to skb_recv_datagram() after\ngetting rid of the unnecessary sock lock in kcm_recvmsg() and\nkcm_splice_read(). Side note: SOCK_DONE is not used by KCM sockets,\nso it is safe to get rid of this check too.\n\nI ran the original syzbot reproducer for 30 min without seeing any\nissue."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/kcm/kcmsock.c"],"versions":[{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"22f6b5d47396b4287662668ee3f5c1f766cb4259","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"d9ad4de92e184b19bcae4da10dac0275abf83931","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"ce57d6474ae999a3b2d442314087473a646a65c7","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"4154b6afa2bd639214ff259d912faad984f7413a","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"f7b0e95071bb4be4b811af3f0bfc3e200eedeaa3","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"bf92e54597d842da127c59833b365d6faeeaf020","status":"affected","versionType":"git"},{"version":"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3","lessThan":"5121197ecc5db58c07da95eb1ff82b98b121a221","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/kcm/kcmsock.c"],"versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","status":"unaffected","versionType":"semver"},{"version":"4.14.300","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.267","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.225","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.156","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.80","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"4.14.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"4.19.267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.4.225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.10.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.15.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/22f6b5d47396b4287662668ee3f5c1f766cb4259"},{"url":"https://git.kernel.org/stable/c/d9ad4de92e184b19bcae4da10dac0275abf83931"},{"url":"https://git.kernel.org/stable/c/ce57d6474ae999a3b2d442314087473a646a65c7"},{"url":"https://git.kernel.org/stable/c/4154b6afa2bd639214ff259d912faad984f7413a"},{"url":"https://git.kernel.org/stable/c/f7b0e95071bb4be4b811af3f0bfc3e200eedeaa3"},{"url":"https://git.kernel.org/stable/c/bf92e54597d842da127c59833b365d6faeeaf020"},{"url":"https://git.kernel.org/stable/c/5121197ecc5db58c07da95eb1ff82b98b121a221"}],"title":"kcm: close race conditions on sk_receive_queue","x_generator":{"engine":"bippy-1.2.0"}}}}