CVE-2022-49691

Source
https://cve.org/CVERecord?id=CVE-2022-49691
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49691.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49691
Downstream
Published
2025-02-26T02:24:15.146Z
Modified
2026-06-18T03:54:58.959874063Z
Summary
erspan: do not assume transport header is always set
Details

In the Linux kernel, the following vulnerability has been resolved:

erspan: do not assume transport header is always set

Rewrite tests in ip6erspantunnelxmit() and erspanfbxmit() to not assume transport header is set.

syzbot reported:

WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skbtransportheader include/linux/skbuff.h:2911 [inline] WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspantunnelxmit+0x15af/0x2eb0 net/ipv6/ip6gre.c:963 Modules linked in: CPU: 0 PID: 1350 Comm: aoetx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:skbtransportheader include/linux/skbuff.h:2911 [inline] RIP: 0010:ip6erspantunnelxmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00 RSP: 0018:ffffc90005daf910 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003 RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40 R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000 FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0 Call Trace: <TASK> __netdevstartxmit include/linux/netdevice.h:4805 [inline] netdevstartxmit include/linux/netdevice.h:4819 [inline] xmitone net/core/dev.c:3588 [inline] devhardstartxmit+0x188/0x880 net/core/dev.c:3604 schdirectxmit+0x19f/0xbe0 net/sched/sch_generic.c:342 __devxmitskb net/core/dev.c:3815 [inline] _devqueuexmit+0x14a1/0x3900 net/core/dev.c:4219 devqueuexmit include/linux/netdevice.h:2994 [inline] tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63 kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229 kthread+0x2e9/0x3a0 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:302 </TASK>

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49691.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d5db21a3e6977dcb42cee3d16cd69901fa66510a
Fixed
fb401f37f6eadf24956d93687e5758c163c0d12b
Fixed
02da602bc2f353dccd9e489a604490034ded941e
Fixed
cec9867ee55478ef5dcb2adf030fe0c442a4c4ee
Fixed
a3b2470399f679587c45abe56e551caf10becca2
Fixed
2c8aeffc7c586d53e1d380f010bdca4f710f2480
Fixed
301bd140ed0b24f0da660874c7e8a47dad8c8222

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49691.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.18.0
Fixed
4.19.250
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.202
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.127
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.51
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.18.8

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49691.json"