{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49878", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.239Z", "datePublished": "2025-05-01T14:10:26.389Z", "dateUpdated": "2025-05-04T08:47:37.797Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:47:37.797Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, verifier: Fix memory leak in array reallocation for stack state\n\nIf an error (NULL) is returned by krealloc(), callers of realloc_array()\nwere setting their allocation pointers to NULL, but on error krealloc()\ndoes not touch the original allocation. This would result in a memory\nresource leak. Instead, free the old allocation on the error handling\npath.\n\nThe memory leak information is as follows as also reported by Zhengchao:\n\n unreferenced object 0xffff888019801800 (size 256):\n comm \"bpf_repo\", pid 6490, jiffies 4294959200 (age 17.170s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0\n [<0000000086712a0b>] krealloc+0x83/0xd0\n [<00000000139aab02>] realloc_array+0x82/0xe2\n [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186\n [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341\n [<0000000081780455>] do_check_common+0x5358/0xb350\n [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d\n [<000000002973c690>] bpf_prog_load+0x13db/0x2240\n [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0\n [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0\n [<0000000056fedaf5>] do_syscall_64+0x35/0x80\n [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "c69431aab67a912836e5831f03d99a819c14c9c3", "lessThan": "06615967d4889b08b19ff3dda96e8b131282f73d", "status": "affected", "versionType": "git"}, {"version": "c69431aab67a912836e5831f03d99a819c14c9c3", "lessThan": "3e210891c4a4c2d858cd6f9f61d5809af251d4df", "status": "affected", "versionType": "git"}, {"version": "c69431aab67a912836e5831f03d99a819c14c9c3", "lessThan": "42378a9ca55347102bbf86708776061d8fe3ece2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.79", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.9", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.0.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/06615967d4889b08b19ff3dda96e8b131282f73d"}, {"url": "https://git.kernel.org/stable/c/3e210891c4a4c2d858cd6f9f61d5809af251d4df"}, {"url": "https://git.kernel.org/stable/c/42378a9ca55347102bbf86708776061d8fe3ece2"}], "title": "bpf, verifier: Fix memory leak in array reallocation for stack state", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB443DA9-A9E7-45CA-AAF4-AF14F567FE9F", "versionEndExcluding": "5.15.79", "versionStartIncluding": "5.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3F26709-7D49-4AF0-8145-46CCF4E8E2AD", "versionEndExcluding": "6.0.9", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, verifier: Fix memory leak in array reallocation for stack state\n\nIf an error (NULL) is returned by krealloc(), callers of realloc_array()\nwere setting their allocation pointers to NULL, but on error krealloc()\ndoes not touch the original allocation. This would result in a memory\nresource leak. Instead, free the old allocation on the error handling\npath.\n\nThe memory leak information is as follows as also reported by Zhengchao:\n\n unreferenced object 0xffff888019801800 (size 256):\n comm \"bpf_repo\", pid 6490, jiffies 4294959200 (age 17.170s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0\n [<0000000086712a0b>] krealloc+0x83/0xd0\n [<00000000139aab02>] realloc_array+0x82/0xe2\n [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186\n [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341\n [<0000000081780455>] do_check_common+0x5358/0xb350\n [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d\n [<000000002973c690>] bpf_prog_load+0x13db/0x2240\n [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0\n [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0\n [<0000000056fedaf5>] do_syscall_64+0x35/0x80\n [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, verificador: Se corrige una fuga de memoria en la reasignaci\u00f3n de matriz para el estado de la pila. Si krealloc() devuelve un error (NULL), los usuarios de realloc_array() establec\u00edan sus punteros de asignaci\u00f3n en NULL, pero en caso de error, krealloc() no modifica la asignaci\u00f3n original. Esto provocar\u00eda una fuga de recursos de memoria. En su lugar, se libera la asignaci\u00f3n anterior en la ruta de gesti\u00f3n de errores. La informaci\u00f3n de fuga de memoria es la siguiente, tal como lo inform\u00f3 Zhengchao: objeto sin referencia 0xffff888019801800 (tama\u00f1o 256): comm \"bpf_repo\", pid 6490, jiffies 4294959200 (edad 17.170s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [&lt;00000000b211474b&gt;] __kmalloc_node_track_caller+0x45/0xc0 [&lt;0000000086712a0b&gt;] krealloc+0x83/0xd0 [&lt;00000000139aab02&gt;] realloc_array+0x82/0xe2 [&lt;00000000b1ca41d1&gt;] grow_stack_state+0xfb/0x186 [&lt;00000000cd6f36d2&gt;] check_mem_access.cold+0x141/0x1341 [&lt;0000000081780455&gt;] do_check_common+0x5358/0xb350 [&lt;0000000015f6b091&gt;] bpf_check.cold+0xc3/0x29d [&lt;000000002973c690&gt;] bpf_prog_load+0x13db/0x2240 [&lt;00000000028d1644&gt;] __sys_bpf+0x1605/0x4ce0 [&lt;00000000053f29bd&gt;] __x64_sys_bpf+0x75/0xb0 [&lt;0000000056fedaf5&gt;] do_syscall_64+0x35/0x80 [&lt;000000002bd58261&gt;] entry_SYSCALL_64_after_hwframe+0x63/0xcd "}], "id": "CVE-2022-49878", "lastModified": "2025-05-07T13:21:23.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-05-01T15:16:12.753", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/06615967d4889b08b19ff3dda96e8b131282f73d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e210891c4a4c2d858cd6f9f61d5809af251d4df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/42378a9ca55347102bbf86708776061d8fe3ece2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf, verifier: Fix memory leak in array reallocation for stack state", "id": "2363443", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363443"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf, verifier: Fix memory leak in array reallocation for stack state\nIf an error (NULL) is returned by krealloc(), callers of realloc_array()\nwere setting their allocation pointers to NULL, but on error krealloc()\ndoes not touch the original allocation. This would result in a memory\nresource leak. Instead, free the old allocation on the error handling\npath.\nThe memory leak information is as follows as also reported by Zhengchao:\nunreferenced object 0xffff888019801800 (size 256):\ncomm \"bpf_repo\", pid 6490, jiffies 4294959200 (age 17.170s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0\n[<0000000086712a0b>] krealloc+0x83/0xd0\n[<00000000139aab02>] realloc_array+0x82/0xe2\n[<00000000b1ca41d1>] grow_stack_state+0xfb/0x186\n[<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341\n[<0000000081780455>] do_check_common+0x5358/0xb350\n[<0000000015f6b091>] bpf_check.cold+0xc3/0x29d\n[<000000002973c690>] bpf_prog_load+0x13db/0x2240\n[<00000000028d1644>] __sys_bpf+0x1605/0x4ce0\n[<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0\n[<0000000056fedaf5>] do_syscall_64+0x35/0x80\n[<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"], "name": "CVE-2022-49878", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49878\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49878\nhttps://lore.kernel.org/linux-cve-announce/2025050153-CVE-2022-49878-1e05@gregkh/T"], "threat_severity": "Moderate"}