{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49420", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.568Z", "datePublished": "2025-02-26T02:12:44.316Z", "dateUpdated": "2025-05-04T08:37:17.463Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:37:17.463Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate races around sk->sk_bound_dev_if\n\nUDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while\nthis field can be changed by another thread.\n\nAdds minimal annotations to avoid KCSAN splats for UDP.\nFollowing patches will add more annotations to potential lockless readers.\n\nBUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg\n\nwrite to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:\n __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221\n ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272\n inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576\n __sys_connect_file net/socket.c:1900 [inline]\n __sys_connect+0x197/0x1b0 net/socket.c:1917\n __do_sys_connect net/socket.c:1927 [inline]\n __se_sys_connect net/socket.c:1924 [inline]\n __x64_sys_connect+0x3d/0x50 net/socket.c:1924\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:\n udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436\n inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n ____sys_sendmsg+0x39a/0x510 net/socket.c:2413\n ___sys_sendmsg net/socket.c:2467 [inline]\n __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553\n __do_sys_sendmmsg net/socket.c:2582 [inline]\n __se_sys_sendmmsg net/socket.c:2579 [inline]\n __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0x00000000 -> 0xffffff9b\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n\nI chose to not add Fixes: tag because race has minor consequences\nand stable teams busy enough."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip.h", "include/net/sock.h", "net/ipv6/datagram.c", "net/ipv6/udp.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "20b2f61797873a2b18b5ff1a304ad2674fa1e0a5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4c971d2f3548e4f11b1460ac048f5307e4b39fdb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/ip.h", "include/net/sock.h", "net/ipv6/datagram.c", "net/ipv6/udp.c"], "versions": [{"version": "5.18.3", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/20b2f61797873a2b18b5ff1a304ad2674fa1e0a5"}, {"url": "https://git.kernel.org/stable/c/4c971d2f3548e4f11b1460ac048f5307e4b39fdb"}], "title": "net: annotate races around sk->sk_bound_dev_if", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate races around sk->sk_bound_dev_if\n\nUDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while\nthis field can be changed by another thread.\n\nAdds minimal annotations to avoid KCSAN splats for UDP.\nFollowing patches will add more annotations to potential lockless readers.\n\nBUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg\n\nwrite to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:\n __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221\n ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272\n inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576\n __sys_connect_file net/socket.c:1900 [inline]\n __sys_connect+0x197/0x1b0 net/socket.c:1917\n __do_sys_connect net/socket.c:1927 [inline]\n __se_sys_connect net/socket.c:1924 [inline]\n __x64_sys_connect+0x3d/0x50 net/socket.c:1924\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:\n udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436\n inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n ____sys_sendmsg+0x39a/0x510 net/socket.c:2413\n ___sys_sendmsg net/socket.c:2467 [inline]\n __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553\n __do_sys_sendmmsg net/socket.c:2582 [inline]\n __se_sys_sendmmsg net/socket.c:2579 [inline]\n __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0x00000000 -> 0xffffff9b\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n\nI chose to not add Fixes: tag because race has minor consequences\nand stable teams busy enough."}], "id": "CVE-2022-49420", "lastModified": "2025-02-26T07:01:18.440", "metrics": {}, "published": "2025-02-26T07:01:18.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/20b2f61797873a2b18b5ff1a304ad2674fa1e0a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4c971d2f3548e4f11b1460ac048f5307e4b39fdb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: net: annotate races around sk->sk_bound_dev_if", "id": "2347846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347846"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: annotate races around sk->sk_bound_dev_if\nUDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while\nthis field can be changed by another thread.\nAdds minimal annotations to avoid KCSAN splats for UDP.\nFollowing patches will add more annotations to potential lockless readers.\nBUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg\nwrite to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:\n__ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221\nip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272\ninet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576\n__sys_connect_file net/socket.c:1900 [inline]\n__sys_connect+0x197/0x1b0 net/socket.c:1917\n__do_sys_connect net/socket.c:1927 [inline]\n__se_sys_connect net/socket.c:1924 [inline]\n__x64_sys_connect+0x3d/0x50 net/socket.c:1924\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nread to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:\nudpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436\ninet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652\nsock_sendmsg_nosec net/socket.c:705 [inline]\nsock_sendmsg net/socket.c:725 [inline]\n____sys_sendmsg+0x39a/0x510 net/socket.c:2413\n___sys_sendmsg net/socket.c:2467 [inline]\n__sys_sendmmsg+0x267/0x4c0 net/socket.c:2553\n__do_sys_sendmmsg net/socket.c:2582 [inline]\n__se_sys_sendmmsg net/socket.c:2579 [inline]\n__x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nvalue changed: 0x00000000 -> 0xffffff9b\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nI chose to not add Fixes: tag because race has minor consequences\nand stable teams busy enough.", "A race condition vulnerability exists in the Linux kernel that affects the UDP sendmsg() function, where data is sent without proper synchronization, which can be manipulated by other threads. This can lead to unpredictable behavior and cause system unavailability due to changes made by other threads."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-49420", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49420\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49420\nhttps://lore.kernel.org/linux-cve-announce/2025022654-CVE-2022-49420-2ad4@gregkh/T"], "threat_severity": "Moderate"}