{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49086", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.248Z", "datePublished": "2025-02-26T01:54:44.072Z", "dateUpdated": "2025-05-04T08:29:25.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:29:25.798Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix leak of nested actions\n\nWhile parsing user-provided actions, openvswitch module may dynamically\nallocate memory and store pointers in the internal copy of the actions.\nSo this memory has to be freed while destroying the actions.\n\nCurrently there are only two such actions: ct() and set(). However,\nthere are many actions that can hold nested lists of actions and\novs_nla_free_flow_actions() just jumps over them leaking the memory.\n\nFor example, removal of the flow with the following actions will lead\nto a leak of the memory allocated by nf_ct_tmpl_alloc():\n\n actions:clone(ct(commit),0)\n\nNon-freed set() action may also leak the 'dst' structure for the\ntunnel info including device references.\n\nUnder certain conditions with a high rate of flow rotation that may\ncause significant memory leak problem (2MB per second in reporter's\ncase). The problem is also hard to mitigate, because the user doesn't\nhave direct control over the datapath flows generated by OVS.\n\nFix that by iterating over all the nested actions and freeing\neverything that needs to be freed recursively.\n\nNew build time assertion should protect us from this problem if new\nactions will be added in the future.\n\nUnfortunately, openvswitch module doesn't use NLA_F_NESTED, so all\nattributes has to be explicitly checked. sample() and clone() actions\nare mixing extra attributes into the user-provided action list. That\nprevents some code generalization too."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/flow_netlink.c"], "versions": [{"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "7438dc55c0709819b813f4778aec2c48b782990b", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "5ae05b5eb58773cfec307ff88aff4cfd843c4cff", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "837b96d8103938e35e7d92cd9db96af914ca4fff", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "3554c214b83ec9a839ed574263a34218f372990c", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "53bce9d19b0a9d245b25cd050b81652ed974a509", "status": "affected", "versionType": "git"}, {"version": "34ae932a40369be6bd6ea97d66b6686361b4370d", "lessThan": "1f30fb9166d4f15a1aa19449b9da871fe0ed4796", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/flow_netlink.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.249", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.200", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.111", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.34", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.20", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.3", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "4.19.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.4.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.10.111"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.15.34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.16.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.17.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b"}, {"url": "https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40"}, {"url": "https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff"}, {"url": "https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff"}, {"url": "https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c"}, {"url": "https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509"}, {"url": "https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796"}], "title": "net: openvswitch: fix leak of nested actions", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFDE78BF-3014-4717-AA33-00F15CE7636B", "versionEndExcluding": "4.19.249", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "80B2AE57-4A7E-40BB-8C83-33D4436CE199", "versionEndExcluding": "5.4.200", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96258501-7BCE-4C55-8A38-8AC9D327626D", "versionEndExcluding": "5.10.111", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D25878D3-7761-4E9F-8919-E92CD53896E0", "versionEndExcluding": "5.15.34", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABBBA66E-0244-4621-966B-9790AF1EEB00", "versionEndExcluding": "5.16.20", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE420AC7-1E59-4398-B84F-71F4B4337762", "versionEndExcluding": "5.17.3", "versionStartIncluding": "5.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*", "matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix leak of nested actions\n\nWhile parsing user-provided actions, openvswitch module may dynamically\nallocate memory and store pointers in the internal copy of the actions.\nSo this memory has to be freed while destroying the actions.\n\nCurrently there are only two such actions: ct() and set(). However,\nthere are many actions that can hold nested lists of actions and\novs_nla_free_flow_actions() just jumps over them leaking the memory.\n\nFor example, removal of the flow with the following actions will lead\nto a leak of the memory allocated by nf_ct_tmpl_alloc():\n\n actions:clone(ct(commit),0)\n\nNon-freed set() action may also leak the 'dst' structure for the\ntunnel info including device references.\n\nUnder certain conditions with a high rate of flow rotation that may\ncause significant memory leak problem (2MB per second in reporter's\ncase). The problem is also hard to mitigate, because the user doesn't\nhave direct control over the datapath flows generated by OVS.\n\nFix that by iterating over all the nested actions and freeing\neverything that needs to be freed recursively.\n\nNew build time assertion should protect us from this problem if new\nactions will be added in the future.\n\nUnfortunately, openvswitch module doesn't use NLA_F_NESTED, so all\nattributes has to be explicitly checked. sample() and clone() actions\nare mixing extra attributes into the user-provided action list. That\nprevents some code generalization too."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: openvswitch: fix leak of nested shares Mientras analiza acciones proporcionadas por el usuario, el m\u00f3dulo openvswitch puede asignar memoria din\u00e1micamente y almacenar punteros en la copia interna de las acciones. Por lo tanto, esta memoria debe liberarse mientras se destruyen las acciones. Actualmente solo hay dos acciones de este tipo: ct() y set(). Sin embargo, hay muchas acciones que pueden contener listas anidadas de acciones y ovs_nla_free_flow_actions() simplemente las salta, perdiendo la memoria. Por ejemplo, la eliminaci\u00f3n del flujo con las siguientes acciones provocar\u00e1 una p\u00e9rdida de la memoria asignada por nf_ct_tmpl_alloc(): shares:clone(ct(commit),0) La acci\u00f3n set() no liberada tambi\u00e9n puede perder la estructura 'dst' para la informaci\u00f3n del t\u00fanel, incluidas las referencias del dispositivo. Bajo ciertas condiciones con una alta tasa de rotaci\u00f3n del flujo, esto puede causar un problema de p\u00e9rdida de memoria significativo (2 MB por segundo en el caso del reportero). El problema tambi\u00e9n es dif\u00edcil de mitigar, porque el usuario no tiene control directo sobre los flujos de rutas de datos generados por OVS. Solucione eso iterando sobre todas las acciones anidadas y liberando todo lo que se necesite liberar de forma recursiva. La nueva afirmaci\u00f3n de tiempo de compilaci\u00f3n deber\u00eda protegernos de este problema si se agregan nuevas acciones en el futuro. Desafortunadamente, el m\u00f3dulo openvswitch no usa NLA_F_NESTED, por lo que todos los atributos deben verificarse expl\u00edcitamente. Las acciones sample() y clone() mezclan atributos adicionales en la lista de acciones proporcionada por el usuario. Eso tambi\u00e9n evita cierta generalizaci\u00f3n del c\u00f3digo."}], "id": "CVE-2022-49086", "lastModified": "2025-09-23T18:10:06.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-02-26T07:00:45.940", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: openvswitch: fix leak of nested actions", "id": "2347770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347770"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: openvswitch: fix leak of nested actions\nWhile parsing user-provided actions, openvswitch module may dynamically\nallocate memory and store pointers in the internal copy of the actions.\nSo this memory has to be freed while destroying the actions.\nCurrently there are only two such actions: ct() and set(). However,\nthere are many actions that can hold nested lists of actions and\novs_nla_free_flow_actions() just jumps over them leaking the memory.\nFor example, removal of the flow with the following actions will lead\nto a leak of the memory allocated by nf_ct_tmpl_alloc():\nactions:clone(ct(commit),0)\nNon-freed set() action may also leak the 'dst' structure for the\ntunnel info including device references.\nUnder certain conditions with a high rate of flow rotation that may\ncause significant memory leak problem (2MB per second in reporter's\ncase). The problem is also hard to mitigate, because the user doesn't\nhave direct control over the datapath flows generated by OVS.\nFix that by iterating over all the nested actions and freeing\neverything that needs to be freed recursively.\nNew build time assertion should protect us from this problem if new\nactions will be added in the future.\nUnfortunately, openvswitch module doesn't use NLA_F_NESTED, so all\nattributes has to be explicitly checked. sample() and clone() actions\nare mixing extra attributes into the user-provided action list. That\nprevents some code generalization too."], "name": "CVE-2022-49086", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49086\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49086\nhttps://lore.kernel.org/linux-cve-announce/2025022657-CVE-2022-49086-a289@gregkh/T"], "threat_severity": "Moderate"}