ghsa-jq2f-5728-j337
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: fix race in sock_map_free()
sock_map_free() calls release_sock(sk) without owning a reference on the socket. This can cause use-after-free as syzbot found [1]
Jakub Sitnicki already took care of a similar issue in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free")
[1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] __sock_put include/net/sock.h:779 [inline] tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 release_sock+0xaf/0x1c0 net/core/sock.c:3468 sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
{ "affected": [], "aliases": [ "CVE-2022-50259" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2025-09-15T14:15:36Z", "severity": null }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: fix race in sock_map_free()\n\nsock_map_free() calls release_sock(sk) without owning a reference\non the socket. This can cause use-after-free as syzbot found [1]\n\nJakub Sitnicki already took care of a similar issue\nin sock_hash_free() in commit 75e68e5bf2c7 (\"bpf, sockhash:\nSynchronize delete from bucket list on map free\")\n\n[1]\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31\nModules linked in:\nCPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: events_unbound bpf_map_free_deferred\nRIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31\nCode: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd \u003c0f\u003e 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff\nRSP: 0018:ffffc9000456fb60 EFLAGS: 00010246\nRAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0\nRDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000\nRBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5\nR10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004\nR13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n__refcount_dec include/linux/refcount.h:344 [inline]\nrefcount_dec include/linux/refcount.h:359 [inline]\n__sock_put include/net/sock.h:779 [inline]\ntcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092\nrelease_sock+0xaf/0x1c0 net/core/sock.c:3468\nsock_map_free+0x219/0x2c0 net/core/sock_map.c:356\nprocess_one_work+0x81c/0xd10 kernel/workqueue.c:2289\nworker_thread+0xb14/0x1330 kernel/workqueue.c:2436\nkthread+0x266/0x300 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\u003c/TASK\u003e", "id": "GHSA-jq2f-5728-j337", "modified": "2025-09-15T15:31:22Z", "published": "2025-09-15T15:31:22Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50259" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/0a182f8d607464911756b4dbef5d6cad8de22469" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/4cabc3af4a6f36c222fecb15858c1060e59218e7" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/a443c55d96dede82a724df6e70a318ad15c199e1" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62" } ], "schema_version": "1.4.0", "severity": [] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.