{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49456", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.574Z", "datePublished": "2025-02-26T02:13:04.787Z", "dateUpdated": "2026-05-11T19:00:13.862Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:00:13.862Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix missed rcu protection\n\nWhen removing the rcu_read_lock in bond_ethtool_get_ts_info() as\ndiscussed [1], I didn't notice it could be called via setsockopt,\nwhich doesn't hold rcu lock, as syzbot pointed:\n\n stack backtrace:\n CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]\n bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595\n __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554\n ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568\n sock_timestamping_bind_phc net/core/sock.c:869 [inline]\n sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916\n sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221\n __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223\n __do_sys_setsockopt net/socket.c:2238 [inline]\n __se_sys_setsockopt net/socket.c:2235 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f8902c8eb39\n\nFix it by adding rcu_read_lock and take a ref on the real_dev.\nSince dev_hold() and dev_put() can take NULL these days, we can\nskip checking if real_dev exist.\n\n[1] https://lore.kernel.org/netdev/27565.1642742439@famine/"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/bonding/bond_main.c"], "versions": [{"version": "aa6034678e873db8bd5c5a4b73f8b88c469374d6", "lessThan": "1b66a533c47d29b38af8e05fbb53b609a5ba3a4e", "status": "affected", "versionType": "git"}, {"version": "aa6034678e873db8bd5c5a4b73f8b88c469374d6", "lessThan": "85eed460681da71b359ed906bce4d800081db854", "status": "affected", "versionType": "git"}, {"version": "aa6034678e873db8bd5c5a4b73f8b88c469374d6", "lessThan": "9b80ccda233fa6c59de411bf889cc4d0e028f2c7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/bonding/bond_main.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.14", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.3", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.17.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1b66a533c47d29b38af8e05fbb53b609a5ba3a4e"}, {"url": "https://git.kernel.org/stable/c/85eed460681da71b359ed906bce4d800081db854"}, {"url": "https://git.kernel.org/stable/c/9b80ccda233fa6c59de411bf889cc4d0e028f2c7"}], "title": "bonding: fix missed rcu protection", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A6ECE07-4D3D-40FC-A74C-2C36A48CB577", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:-:*:*:*:*:*:*", "matchCriteriaId": "A59F7FD3-F505-48BD-8875-F07A33F42F6C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "B2D2677C-5389-4AE9-869D-0F881E80D923", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "EFA3917C-C322-4D92-912D-ECE45B2E7416", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "BED18363-5ABC-4639-8BBA-68E771E5BB3F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc7:*:*:*:*:*:*", "matchCriteriaId": "7F635F96-FA0A-4769-ADE8-232B3AC9116D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc8:*:*:*:*:*:*", "matchCriteriaId": "FD39FE73-2A9D-4C92-AE7A-CA22F84B228D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix missed rcu protection\n\nWhen removing the rcu_read_lock in bond_ethtool_get_ts_info() as\ndiscussed [1], I didn't notice it could be called via setsockopt,\nwhich doesn't hold rcu lock, as syzbot pointed:\n\n stack backtrace:\n CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]\n bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595\n __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554\n ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568\n sock_timestamping_bind_phc net/core/sock.c:869 [inline]\n sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916\n sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221\n __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223\n __do_sys_setsockopt net/socket.c:2238 [inline]\n __se_sys_setsockopt net/socket.c:2235 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f8902c8eb39\n\nFix it by adding rcu_read_lock and take a ref on the real_dev.\nSince dev_hold() and dev_put() can take NULL these days, we can\nskip checking if real_dev exist.\n\n[1] https://lore.kernel.org/netdev/27565.1642742439@famine/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bonding: se corrige la protecci\u00f3n rcu faltante Al eliminar rcu_read_lock en bond_ethtool_get_ts_info() como se discuti\u00f3 [1], no not\u00e9 que se pod\u00eda llamar a trav\u00e9s de setsockopt, que no mantiene el bloqueo rcu, como se\u00f1al\u00f3 syzbot: seguimiento de pila: CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline] bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595 __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554 ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568 sock_timestamping_bind_phc net/core/sock.c:869 [inline] sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916 sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221 __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223 __do_sys_setsockopt net/socket.c:2238 [inline] __se_sys_setsockopt net/socket.c:2235 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8902c8eb39 Fix it by adding rcu_read_lock and take a ref on the real_dev. Since dev_hold() and dev_put() can take NULL these days, we can skip checking if real_dev exist. [1] https://lore.kernel.org/netdev/27565.1642742439@famine/ "}], "id": "CVE-2022-49456", "lastModified": "2025-10-22T17:24:41.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:21.950", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b66a533c47d29b38af8e05fbb53b609a5ba3a4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/85eed460681da71b359ed906bce4d800081db854"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b80ccda233fa6c59de411bf889cc4d0e028f2c7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bonding: fix missed rcu protection", "id": "2347903", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347903"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbonding: fix missed rcu protection\nWhen removing the rcu_read_lock in bond_ethtool_get_ts_info() as\ndiscussed [1], I didn't notice it could be called via setsockopt,\nwhich doesn't hold rcu lock, as syzbot pointed:\nstack backtrace:\nCPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nbond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]\nbond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595\n__ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554\nethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568\nsock_timestamping_bind_phc net/core/sock.c:869 [inline]\nsock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916\nsock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221\n__sys_setsockopt+0x55e/0x6a0 net/socket.c:2223\n__do_sys_setsockopt net/socket.c:2238 [inline]\n__se_sys_setsockopt net/socket.c:2235 [inline]\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2235\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f8902c8eb39\nFix it by adding rcu_read_lock and take a ref on the real_dev.\nSince dev_hold() and dev_put() can take NULL these days, we can\nskip checking if real_dev exist.\n[1] https://lore.kernel.org/netdev/27565.1642742439@famine/", "A vulnerability was found in the Linux kernel's bonding driver, which aggregates multiple network interfaces into a single logical interface for redundancy or increased throughput. The issue arises from a missing Read-Copy-Update (RCU) lock in the bond_ethtool_get_ts_info() function. This function can be invoked via the setsockopt system call without holding the necessary RCU lock, leading to potential race conditions and memory corruption when accessing bonding driver data structures."], "name": "CVE-2022-49456", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49456\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49456\nhttps://lore.kernel.org/linux-cve-announce/2025022600-CVE-2022-49456-2bf4@gregkh/T"], "statement": "The vulnerability was introduced after a previous change that removed the RCU lock from the function, not accounting for the fact that it could be called without the appropriate synchronization. This oversight could allow attackers with local access to exploit the race condition, potentially causing system instability or other unintended behaviors.", "threat_severity": "Moderate"}

{"created": "2025-07-12T22:31:59.628739+00:00", "updated": "2025-07-12T22:31:59.628808+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}