CVE-2022-50243
- Source
- https://cve.org/CVERecord?id=CVE-2022-50243
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50243.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50243
- Downstream
- Published
- 2025-09-15T14:01:52.101Z
- Modified
- 2026-03-20T12:07:57.281809Z
- Summary
- sctp: handle the error returned from sctp_auth_asoc_init_active_key
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sctp: handle the error returned from sctpauthasocinitactive_key
When it returns an error from sctpauthasocinitactivekey(), the activekey is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot:
sctpauthshkeyhold+0x22/0xa0 net/sctp/auth.c:112 sctpsetownerw net/sctp/socket.c:132 [inline] sctpsendmsgtoasoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctpsendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inetsendmsg+0x99/0xe0 net/ipv4/afinet.c:819 socksendmsgnosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734
This patch is to fix it by not replacing the shkey when it returns errors from sctpauthasocinitactivekey() in sctpauthsetkey(). For sctpauthsetactivekey(), old activekeyid will be set back to asoc->activekey_id when the same thing happens.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50243.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/022152aaebe116a25c39818a07e175a8cd3c1e11
- https://git.kernel.org/stable/c/0f90099d18e3abdc01babf686f41f63fe04939c1
- https://git.kernel.org/stable/c/19d636b663e0e92951bba5fced929ca7fd25c552
- https://git.kernel.org/stable/c/382ff44716603a54f5fd238ddec6a2468e217612
- https://git.kernel.org/stable/c/3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d
- https://git.kernel.org/stable/c/b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40
- https://git.kernel.org/stable/c/f65955340e0044f5c41ac799a01698ac7dee8a4e
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50243.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-50243
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced50b57223da67653c61e405d0a7592355cfe4585eFixedb8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb60461696a0b0fdaf240bc365b7983698f88ded2Fixed382ff44716603a54f5fd238ddec6a2468e217612
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8eb225873246312660ccd68296959a7b213d0cddFixedf65955340e0044f5c41ac799a01698ac7dee8a4e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced58acd10092268831e49de279446c314727101292Fixed19d636b663e0e92951bba5fced929ca7fd25c552Fixed0f90099d18e3abdc01babf686f41f63fe04939c1Fixed3b0fcf5e29c0940e1169ce9c44f73edd98bdf12dFixed022152aaebe116a25c39818a07e175a8cd3c1e11
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedc1de376423a7759bf4fa25d6a038a4c1e035c9e1