CVE-2022-49087

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49087
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49087.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49087
Downstream
Published
2025-02-26T01:54:44.557Z
Modified
2026-05-28T03:53:10.506326910Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
rxrpc: fix a race in rxrpc_exit_net()
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: fix a race in rxrpcexitnet()

Current code can lead to the following race:

CPU0 CPU1

rxrpcexitnet() rxrpcpeerkeepalive_worker() if (rxnet->live)

rxnet->live = false; deltimersync(&rxnet->peerkeepalivetimer);

                                                         timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay);

cancelworksync(&rxnet->peerkeepalivework);

rxrpcexitnet() exits while peerkeepalivetimer is still armed, leading to use-after-free.

syzbot report was:

ODEBUG: free active (active state 0) object type: timerlist hint: rxrpcpeerkeepalivetimeout+0x0/0xb0 WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debugprintobject+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanupnet RIP: 0010:debugprint_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0 R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __debugchecknoobjfreed lib/debugobjects.c:992 [inline] debugchecknoobjfreed+0x301/0x420 lib/debugobjects.c:1023 kfree+0xd6/0x310 mm/slab.c:3809 opsfreelist.part.0+0x119/0x370 net/core/netnamespace.c:176 opsfreelist net/core/netnamespace.c:174 [inline] cleanupnet+0x591/0xb00 net/core/netnamespace.c:598 processonework+0x996/0x1610 kernel/workqueue.c:2289 workerthread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:298 </TASK>

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49087.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ace45bec6d77bc061c3c3d8ad99e298ea9800c2b
Fixed
864297ee30727ae6233f80296b7fc91442620b05
Fixed
7ee84d29f22de6f6c63fad6c54690517659862f1
Fixed
08ff0e74fab517dbc44e11b8bc683dd4ecc65950
Fixed
571d8e1d154ca18f08dcb72b69318d36e10010a0
Fixed
41024a40f6c793abbb916a857f18fb009f07464c
Fixed
cd8aef1f30d1215648e4e6686cfb422004851429
Fixed
1946014ca3b19be9e485e780e862c375c6f98bad

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49087.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.17.0
Fixed
4.19.238
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.189
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.111
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.34
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.20
Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49087.json"