{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49837","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.229Z","datePublished":"2025-05-01T14:09:54.141Z","dateUpdated":"2026-05-11T19:07:44.113Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:44.113Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory leaks in __check_func_call\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff88817139d000 (size 2048):\n  comm \"test_progs\", pid 33246, jiffies 4307381979 (age 45851.820s)\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<0000000045f075f0>] kmalloc_trace+0x27/0xa0\n    [<0000000098b7c90a>] __check_func_call+0x316/0x1230\n    [<00000000b4c3c403>] check_helper_call+0x172e/0x4700\n    [<00000000aa3875b7>] do_check+0x21d8/0x45e0\n    [<000000001147357b>] do_check_common+0x767/0xaf0\n    [<00000000b5a595b4>] bpf_check+0x43e3/0x5bc0\n    [<0000000011e391b1>] bpf_prog_load+0xf26/0x1940\n    [<0000000007f765c0>] __sys_bpf+0xd2c/0x3650\n    [<00000000839815d6>] __x64_sys_bpf+0x75/0xc0\n    [<00000000946ee250>] do_syscall_64+0x3b/0x90\n    [<0000000000506b7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root case here is: In function prepare_func_exit(), the callee is\nnot released in the abnormal scenario after \"state->curframe--;\". To\nfix, move \"state->curframe--;\" to the very bottom of the function,\nright when we free callee and reset frame[] pointer to NULL, as Andrii\nsuggested.\n\nIn addition, function __check_func_call() has a similar problem. In\nthe abnormal scenario before \"state->curframe++;\", the callee also\nshould be released by free_func_state()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/verifier.c"],"versions":[{"version":"fd978bf7fd312581a7ca454a991f0ffb34c4204b","lessThan":"d4944497827a3d14bc5a26dbcfb7433eb5a956c0","status":"affected","versionType":"git"},{"version":"fd978bf7fd312581a7ca454a991f0ffb34c4204b","lessThan":"83946d772e756734a900ef99dbe0aeda506adf37","status":"affected","versionType":"git"},{"version":"fd978bf7fd312581a7ca454a991f0ffb34c4204b","lessThan":"eb86559a691cea5fa63e57a03ec3dc9c31e97955","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/verifier.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.15.80","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d4944497827a3d14bc5a26dbcfb7433eb5a956c0"},{"url":"https://git.kernel.org/stable/c/83946d772e756734a900ef99dbe0aeda506adf37"},{"url":"https://git.kernel.org/stable/c/eb86559a691cea5fa63e57a03ec3dc9c31e97955"}],"title":"bpf: Fix memory leaks in __check_func_call","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-401","lang":"en","description":"CWE-401 Missing Release of Memory after Effective Lifetime"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T17:02:23.476033Z","id":"CVE-2022-49837","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T17:02:27.099Z"}}]}}