CVE-2022-49973 - Vulnerability Details

- skmsg: Fix wrong last sg check in sk_msg_recvmsg()

Description

In the Linux kernel, the following vulnerability has been resolved:

skmsg: Fix wrong last sg check in sk_msg_recvmsg()

Fix one kernel NULL pointer dereference as below:

[ 224.462334] Call Trace:
[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380
[ 224.462441] ? sock_has_perm+0x78/0xa0
[ 224.462463] tcp_bpf_recvmsg+0x12e/0x220
[ 224.462494] inet_recvmsg+0x5b/0xd0
[ 224.462534] __sys_recvfrom+0xc8/0x130
[ 224.462574] ? syscall_trace_enter+0x1df/0x2e0
[ 224.462606] ? __do_page_fault+0x2de/0x500
[ 224.462635] __x64_sys_recvfrom+0x24/0x30
[ 224.462660] do_syscall_64+0x5d/0x1d0
[ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca

In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in
sk_msg_recvmsg()"), we change last sg check to sg_is_last(),
but in sockmap redirection case (without stream_parser/stream_verdict/
skb_verdict), we did not mark the end of the scatterlist. Check the
sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all
do not mark the end of sg. They are expected to use sg.end for end
judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.

Published: 2025-06-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`293c53b7dbf9073cbcc488f938bc053ff4caeec0`	affected	< de22cba333d8699ad77e79f862fe1320cb1284de
`1295dae30f30c3daa03005ed8958d44b17f037fd`	affected	< 10ee118a1756141f8e9c87aa7344ed12b41630a8
`9974d37ea75f01b47d16072b5dad305bd8d23fcc`	affected	< 583585e48d965338e73e1eb383768d16e0922d73
`4674c0da448b546e390a981b819cd4af5cb16cf9`	affected	—

Linux

unaffected

Version	Status	Constraints
`5.15.61`	affected	< 5.15.66
`5.19.2`	affected	< 5.19.8

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::

No data.

Vendor	Product	Confidence	Versions
Linux	Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-55253	In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace: [ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380 [ 224.462441] ? sock_has_perm+0x78/0xa0 [ 224.462463] tcp_bpf_recvmsg+0x12e/0x220 [ 224.462494] inet_recvmsg+0x5b/0xd0 [ 224.462534] __sys_recvfrom+0xc8/0x130 [ 224.462574] ? syscall_trace_enter+0x1df/0x2e0 [ 224.462606] ? __do_page_fault+0x2de/0x500 [ 224.462635] __x64_sys_recvfrom+0x24/0x30 [ 224.462660] do_syscall_64+0x5d/0x1d0 [ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()"), we change last sg check to sg_is_last(), but in sockmap redirection case (without stream_parser/stream_verdict/ skb_verdict), we did not mark the end of the scatterlist. Check the sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all do not mark the end of sg. They are expected to use sg.end for end judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10ee118a1756141f8e9c87aa7344ed12b41630a8
https://git.kernel.org/stable/c/583585e48d965338e73e1eb383768d16e0922d73
https://git.kernel.org/stable/c/de22cba333d8699ad77e79f862fe1320cb1284de
https://lore.kernel.org/linux-cve-announce/2025061818-CVE-2022-49973-d4f3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-49973
https://www.cve.org/CVERecord?id=CVE-2022-49973

History

Thu, 13 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux linux Kernel
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::
Vendors & Products		Linux linux Kernel

Fri, 20 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025061818-CVE-2022-49973-d4f3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-49973 https://www.cve.org/CVERecord?id=CVE-2022-49973
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 18 Jun 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace: [ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380 [ 224.462441] ? sock_has_perm+0x78/0xa0 [ 224.462463] tcp_bpf_recvmsg+0x12e/0x220 [ 224.462494] inet_recvmsg+0x5b/0xd0 [ 224.462534] __sys_recvfrom+0xc8/0x130 [ 224.462574] ? syscall_trace_enter+0x1df/0x2e0 [ 224.462606] ? __do_page_fault+0x2de/0x500 [ 224.462635] __x64_sys_recvfrom+0x24/0x30 [ 224.462660] do_syscall_64+0x5d/0x1d0 [ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()"), we change last sg check to sg_is_last(), but in sockmap redirection case (without stream_parser/stream_verdict/ skb_verdict), we did not mark the end of the scatterlist. Check the sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all do not mark the end of sg. They are expected to use sg.end for end judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.
Title		skmsg: Fix wrong last sg check in sk_msg_recvmsg()
References		https://git.kernel.org/stable/c/10ee118a1756141f8e9c87aa7344ed12b41630a8 https://git.kernel.org/stable/c/583585e48d965338e73e1eb383768d16e0922d73 https://git.kernel.org/stable/c/de22cba333d8699ad77e79f862fe1320cb1284de

Subscriptions

Linux Kernel Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-06-18T11:00:36.303Z

Updated: 2026-05-11T19:10:16.844Z

Reserved: 2025-06-18T10:57:27.384Z

Link: CVE-2022-49973

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-06-18T11:15:24.673

Modified: 2025-11-13T21:26:45.497

Link: CVE-2022-49973

Redhat

Severity : Moderate

Publid Date: 2025-06-18T00:00:00Z

Links: CVE-2022-49973 - Bugzilla

OpenCVE Enrichment

Updated: 2025-06-20T13:55:53Z

Weaknesses

CWE-476

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object