{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49871", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.238Z", "datePublished": "2025-05-01T14:10:21.760Z", "dateUpdated": "2025-05-04T08:47:23.635Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:47:23.635Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix memory leaks of napi_get_frags\n\nkmemleak reports after running test_progs:\n\nunreferenced object 0xffff8881b1672dc0 (size 232):\n comm \"test_progs\", pid 394388, jiffies 4354712116 (age 841.975s)\n hex dump (first 32 bytes):\n e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....\n 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace:\n [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150\n [<0000000041c7fc09>] __napi_build_skb+0x15/0x50\n [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540\n [<000000003ecfa30e>] napi_get_frags+0x59/0x140\n [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]\n [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]\n [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320\n [<000000008f338ea2>] do_iter_write+0x135/0x630\n [<000000008a3377a4>] vfs_writev+0x12e/0x440\n [<00000000a6b5639a>] do_writev+0x104/0x280\n [<00000000ccf065d8>] do_syscall_64+0x3b/0x90\n [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\ntun_get_user()\n napi_gro_frags()\n napi_frags_finish()\n case GRO_NORMAL:\n gro_normal_one()\n list_add_tail(&skb->list, &napi->rx_list);\n <-- While napi->rx_count < READ_ONCE(gro_normal_batch),\n <-- gro_normal_list() is not called, napi->rx_list is not empty\n <-- not ask to complete the gro work, will cause memory leaks in\n <-- following tun_napi_del()\n...\ntun_napi_del()\n netif_napi_del()\n __netif_napi_del()\n <-- &napi->rx_list is not empty, which caused memory leaks\n\nTo fix, add napi_complete() after napi_gro_frags()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tun.c"], "versions": [{"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "223ef6a94e52331a6a7ef31e59921e0e82d2d40a", "status": "affected", "versionType": "git"}, {"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "a4f73f6adc53fd7a3f9771cbc89a03ef39b0b755", "status": "affected", "versionType": "git"}, {"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "3401f964028ac941425b9b2c8ff8a022539ef44a", "status": "affected", "versionType": "git"}, {"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "d7569302a7a52a9305d2fb054df908ff985553bb", "status": "affected", "versionType": "git"}, {"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "8b12a020b20a78f62bedc50f26db3bf4fadf8cb9", "status": "affected", "versionType": "git"}, {"version": "90e33d45940793def6f773b2d528e9f3c84ffdc7", "lessThan": "1118b2049d77ca0b505775fc1a8d1909cf19a7ec", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tun.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.267", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.225", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.155", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.79", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.9", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.4.225"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.10.155"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.15.79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.0.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/223ef6a94e52331a6a7ef31e59921e0e82d2d40a"}, {"url": "https://git.kernel.org/stable/c/a4f73f6adc53fd7a3f9771cbc89a03ef39b0b755"}, {"url": "https://git.kernel.org/stable/c/3401f964028ac941425b9b2c8ff8a022539ef44a"}, {"url": "https://git.kernel.org/stable/c/d7569302a7a52a9305d2fb054df908ff985553bb"}, {"url": "https://git.kernel.org/stable/c/8b12a020b20a78f62bedc50f26db3bf4fadf8cb9"}, {"url": "https://git.kernel.org/stable/c/1118b2049d77ca0b505775fc1a8d1909cf19a7ec"}], "title": "net: tun: Fix memory leaks of napi_get_frags", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5C69A12-68E2-400E-9A5A-375A673C8402", "versionEndExcluding": "4.19.267", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "94D21814-3051-4860-AB06-C7880A3D4933", "versionEndExcluding": "5.4.225", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "172AC75C-0949-4468-9C58-64E2893EF0CE", "versionEndExcluding": "5.10.155", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "39DC45D8-E30E-4F4A-9332-393B7BCF6900", "versionEndExcluding": "5.15.79", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3F26709-7D49-4AF0-8145-46CCF4E8E2AD", "versionEndExcluding": "6.0.9", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix memory leaks of napi_get_frags\n\nkmemleak reports after running test_progs:\n\nunreferenced object 0xffff8881b1672dc0 (size 232):\n comm \"test_progs\", pid 394388, jiffies 4354712116 (age 841.975s)\n hex dump (first 32 bytes):\n e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....\n 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace:\n [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150\n [<0000000041c7fc09>] __napi_build_skb+0x15/0x50\n [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540\n [<000000003ecfa30e>] napi_get_frags+0x59/0x140\n [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]\n [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]\n [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320\n [<000000008f338ea2>] do_iter_write+0x135/0x630\n [<000000008a3377a4>] vfs_writev+0x12e/0x440\n [<00000000a6b5639a>] do_writev+0x104/0x280\n [<00000000ccf065d8>] do_syscall_64+0x3b/0x90\n [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\ntun_get_user()\n napi_gro_frags()\n napi_frags_finish()\n case GRO_NORMAL:\n gro_normal_one()\n list_add_tail(&skb->list, &napi->rx_list);\n <-- While napi->rx_count < READ_ONCE(gro_normal_batch),\n <-- gro_normal_list() is not called, napi->rx_list is not empty\n <-- not ask to complete the gro work, will cause memory leaks in\n <-- following tun_napi_del()\n...\ntun_napi_del()\n netif_napi_del()\n __netif_napi_del()\n <-- &napi->rx_list is not empty, which caused memory leaks\n\nTo fix, add napi_complete() after napi_gro_frags()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tun: Se corrigen las fugas de memoria de napi_get_frags que informa kmemleak tras ejecutar test_progs: objeto sin referencia 0xffff8881b1672dc0 (tama\u00f1o 232): comm \"test_progs\", pid 394388, jiffies 4354712116 (edad 841,975 s) volcado hexadecimal (primeros 32 bytes): e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace: [&lt;00000000c8f01748&gt;] napi_skb_cache_get+0xd4/0x150 [&lt;0000000041c7fc09&gt;] __napi_build_skb+0x15/0x50 [&lt;00000000431c7079&gt;] __napi_alloc_skb+0x26e/0x540 [&lt;000000003ecfa30e&gt;] napi_get_frags+0x59/0x140 [&lt;0000000099b2199e&gt;] tun_get_user+0x183d/0x3bb0 [tun] [&lt;000000008a5adef0&gt;] tun_chr_write_iter+0xc0/0x1b1 [tun] El problema ocurre en los siguientes escenarios: tun_get_user() napi_gro_frags() napi_frags_finish() caso GRO_NORMAL: gro_normal_one() list_add_tail(&amp;skb-&gt;list, &amp;napi-&gt;rx_list); &lt;-- Mientras napi-&gt;rx_count &lt; READ_ONCE(gro_normal_batch), &lt;-- gro_normal_list() no se llama, napi-&gt;rx_list no est\u00e1 vac\u00edo &lt;-- no solicita completar el trabajo de gro, causar\u00e1 p\u00e9rdidas de memoria en &lt;-- siguientes tun_napi_del() ... tun_napi_del() netif_napi_del() __netif_napi_del() &lt;-- &amp;napi-&gt;rx_list no est\u00e1 vac\u00edo, lo que caus\u00f3 p\u00e9rdidas de memoria Para corregirlo, agregue napi_complete() despu\u00e9s de napi_gro_frags()."}], "id": "CVE-2022-49871", "lastModified": "2025-05-07T13:22:01.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-05-01T15:16:12.030", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1118b2049d77ca0b505775fc1a8d1909cf19a7ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/223ef6a94e52331a6a7ef31e59921e0e82d2d40a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3401f964028ac941425b9b2c8ff8a022539ef44a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b12a020b20a78f62bedc50f26db3bf4fadf8cb9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a4f73f6adc53fd7a3f9771cbc89a03ef39b0b755"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d7569302a7a52a9305d2fb054df908ff985553bb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: tun: Fix memory leaks of napi_get_frags", "id": "2363464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363464"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: tun: Fix memory leaks of napi_get_frags\nkmemleak reports after running test_progs:\nunreferenced object 0xffff8881b1672dc0 (size 232):\ncomm \"test_progs\", pid 394388, jiffies 4354712116 (age 841.975s)\nhex dump (first 32 bytes):\ne0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....\n00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\nbacktrace:\n[<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150\n[<0000000041c7fc09>] __napi_build_skb+0x15/0x50\n[<00000000431c7079>] __napi_alloc_skb+0x26e/0x540\n[<000000003ecfa30e>] napi_get_frags+0x59/0x140\n[<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]\n[<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]\n[<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320\n[<000000008f338ea2>] do_iter_write+0x135/0x630\n[<000000008a3377a4>] vfs_writev+0x12e/0x440\n[<00000000a6b5639a>] do_writev+0x104/0x280\n[<00000000ccf065d8>] do_syscall_64+0x3b/0x90\n[<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe issue occurs in the following scenarios:\ntun_get_user()\nnapi_gro_frags()\nnapi_frags_finish()\ncase GRO_NORMAL:\ngro_normal_one()\nlist_add_tail(&skb->list, &napi->rx_list);\n<-- While napi->rx_count < READ_ONCE(gro_normal_batch),\n<-- gro_normal_list() is not called, napi->rx_list is not empty\n<-- not ask to complete the gro work, will cause memory leaks in\n<-- following tun_napi_del()\n...\ntun_napi_del()\nnetif_napi_del()\n__netif_napi_del()\n<-- &napi->rx_list is not empty, which caused memory leaks\nTo fix, add napi_complete() after napi_gro_frags()."], "name": "CVE-2022-49871", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49871\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49871\nhttps://lore.kernel.org/linux-cve-announce/2025050151-CVE-2022-49871-619c@gregkh/T"], "threat_severity": "Moderate"}