{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49838","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.229Z","datePublished":"2025-05-01T14:09:54.816Z","dateUpdated":"2026-05-11T19:07:45.252Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:45.252Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: clear out_curr if all frag chunks of current msg are pruned\n\nA crash was reported by Zhen Chen:\n\n  list_del corruption, ffffa035ddf01c18->next is NULL\n  WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0\n  RIP: 0010:__list_del_entry_valid+0x59/0xe0\n  Call Trace:\n   sctp_sched_dequeue_common+0x17/0x70 [sctp]\n   sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]\n   sctp_outq_flush_data+0x85/0x360 [sctp]\n   sctp_outq_uncork+0x77/0xa0 [sctp]\n   sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]\n   sctp_side_effects+0x37/0xe0 [sctp]\n   sctp_do_sm+0xd0/0x230 [sctp]\n   sctp_primitive_SEND+0x2f/0x40 [sctp]\n   sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]\n   sctp_sendmsg+0x3d5/0x440 [sctp]\n   sock_sendmsg+0x5b/0x70\n\nand in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream\nout_curr outq while this outq was empty.\n\nNormally stream->out_curr must be set to NULL once all frag chunks of\ncurrent msg are dequeued, as we can see in sctp_sched_dequeue_done().\nHowever, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,\nsctp_sched_dequeue_done() is not called to do this.\n\nThis patch is to fix it by simply setting out_curr to NULL when the\nlast frag chunk of current msg is dequeued from out_curr stream in\nsctp_prsctp_prune_unsent()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sctp/outqueue.c"],"versions":[{"version":"5bbbbe32a43199c2b9ea5ea66fab6241c64beb51","lessThan":"e27458b18b35caee4b27b37a4a9c503b93cae5cc","status":"affected","versionType":"git"},{"version":"5bbbbe32a43199c2b9ea5ea66fab6241c64beb51","lessThan":"2ea600b598dd3e061854dd4dd5b4c815397dfcea","status":"affected","versionType":"git"},{"version":"5bbbbe32a43199c2b9ea5ea66fab6241c64beb51","lessThan":"3eff34e01062ec08fbb45ce2baaaa644550be821","status":"affected","versionType":"git"},{"version":"5bbbbe32a43199c2b9ea5ea66fab6241c64beb51","lessThan":"2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sctp/outqueue.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"5.10.156","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.81","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.10.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.15.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e27458b18b35caee4b27b37a4a9c503b93cae5cc"},{"url":"https://git.kernel.org/stable/c/2ea600b598dd3e061854dd4dd5b4c815397dfcea"},{"url":"https://git.kernel.org/stable/c/3eff34e01062ec08fbb45ce2baaaa644550be821"},{"url":"https://git.kernel.org/stable/c/2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108"}],"title":"sctp: clear out_curr if all frag chunks of current msg are pruned","x_generator":{"engine":"bippy-1.2.0"}}}}