CVE-2022-50071

In the Linux kernel, the following vulnerability has been resolved: mptcp: move subflow cleanup in mptcp_destroy_common() If the mptcp socket creation fails due to a CGROUP_INET_SOCK_CREATE eBPF program, the MPTCP protocol ends-up leaking all the subflows: the related cleanup happens in __mptcp_destroy_sock() that is not invoked in such code path. Address the issue moving the subflow sockets cleanup in the mptcp_destroy_common() helper, which is invoked in every msk cleanup path. Additionally get rid of the intermediate list_splice_init step, which is an unneeded relic from the past. The issue is present since before the reported root cause commit, but any attempt to backport the fix before that hash will require a complete rewrite.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/6139039c8fc5c9dbcdc3ad389b9a6d0cacb4d693	Patch
https://git.kernel.org/stable/c/c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

17 Nov 2025, 18:15

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
First Time		Linux linux Kernel Linux
CWE		NVD-CWE-noinfo
References	~~() https://git.kernel.org/stable/c/6139039c8fc5c9dbcdc3ad389b9a6d0cacb4d693 -~~	() https://git.kernel.org/stable/c/6139039c8fc5c9dbcdc3ad389b9a6d0cacb4d693 - Patch
References	~~() https://git.kernel.org/stable/c/c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b -~~	() https://git.kernel.org/stable/c/c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b - Patch

Information

Published : 2025-06-18 11:15

Updated : 2025-11-17 18:15

NVD link : CVE-2022-50071

Mitre link : CVE-2022-50071

CVE.ORG link : CVE-2022-50071

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-50071", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:35.950", "references": [{"url": "https://git.kernel.org/stable/c/6139039c8fc5c9dbcdc3ad389b9a6d0cacb4d693", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: move subflow cleanup in mptcp_destroy_common()\n\nIf the mptcp socket creation fails due to a CGROUP_INET_SOCK_CREATE\neBPF program, the MPTCP protocol ends-up leaking all the subflows:\nthe related cleanup happens in __mptcp_destroy_sock() that is not\ninvoked in such code path.\n\nAddress the issue moving the subflow sockets cleanup in the\nmptcp_destroy_common() helper, which is invoked in every msk cleanup\npath.\n\nAdditionally get rid of the intermediate list_splice_init step, which\nis an unneeded relic from the past.\n\nThe issue is present since before the reported root cause commit, but\nany attempt to backport the fix before that hash will require a complete\nrewrite."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: mover la limpieza del subflujo en mptcp_destroy_common() Si la creaci\u00f3n del socket mptcp falla debido a un programa eBPF CGROUP_INET_SOCK_CREATE, el protocolo MPTCP termina filtrando todos los subflujos: la limpieza relacionada ocurre en __mptcp_destroy_sock() que no se invoca en dicha ruta de c\u00f3digo. Aborda el problema moviendo la limpieza de los sockets del subflujo en el ayudante mptcp_destroy_common(), que se invoca en cada ruta de limpieza de msk. Adem\u00e1s, deshazte del paso intermedio list_splice_init, que es una reliquia innecesaria del pasado. El problema est\u00e1 presente desde antes de el commit de la causa ra\u00edz informada, pero cualquier intento de retroportar la soluci\u00f3n antes de ese hash requerir\u00e1 una reescritura completa."}], "lastModified": "2025-11-17T18:15:43.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5319F66B-1A07-44F4-A11D-A32951DDF3B9", "versionEndExcluding": "5.19.4", "versionStartIncluding": "5.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}