CVE-2022-48809

MEDIUM

Linux Kernel - Use-After-Free in SKB Destination Uncloning

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix a memleak when uncloning an skb dst and its metadata When uncloning an skb dst and its associated metadata, a new dst+metadata is allocated and later replaces the old one in the skb. This is helpful to have a non-shared dst+metadata attached to a specific skb. The issue is the uncloned dst+metadata is initialized with a refcount of 1, which is increased to 2 before attaching it to the skb. When tun_dst_unclone returns, the dst+metadata is only referenced from a single place (the skb) while its refcount is 2. Its refcount will never drop to 0 (when the skb is consumed), leading to a memory leak. Fix this by removing the call to dst_hold in tun_dst_unclone, as the dst+metadata refcount is already 1.

References (8)

Core 8

Scores

CVSS v3 5.5
EPSS 0.0028
EPSS Percentile 19.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-401
Status published
Products (26)
linux/Kernel 4.10.0 - 4.14.267linux
linux/Kernel 4.15.0 - 4.19.230linux
linux/Kernel 4.20.0 - 5.4.180linux
linux/Kernel 4.3.0 - 4.9.302linux
linux/Kernel 5.11.0 - 5.15.24linux
linux/Kernel 5.16.0 - 5.16.10linux
linux/Kernel 5.5.0 - 5.10.101linux
Linux/Linux < 4.3
Linux/Linux 4.14.267 - 4.14.*
Linux/Linux 4.19.230 - 4.19.*
... and 16 more
Published Jul 16, 2024
Tracked Since Feb 18, 2026