CVE-2022-50838

Vulnerability

Description

CVE-2022-50838 is a reference-count leak in the Linux kernel's networking stack that can lead to indefinite TCP socket pinning. The root cause is that sk_stream_kill_queues() does not purge the sk_error_queue. When applications use both SOF_TIMESTAMPING_TX_ACK and MSG_ZEROCOPY, cloned skbs with attached ubuf_info structures are queued to the error queue. Each such skb holds a socket reference via sock_hold(), preventing the socket from being freed.[1]

Attack

Vector and Exploitation

An attacker with the ability to create TCP sockets and enable the described socket options can trigger the leak. The exploit requires no special privileges beyond unprivileged access to the socket() and setsockopt() system calls. By repeatedly opening and closing sockets while using SOF_TIMESTAMPING_TX_ACK and MSG_ZEROCOPY, the attacker can cause the kernel to retain many TCP sockets indefinitely. Because each leaked socket consumes memory, this can be abused to exhaust system memory and freeze the host.[2]

Impact

Successful exploitation results in a local denial-of-service (DoS) condition. The kernel memory exhaustion can make the system unresponsive, requiring a hard reboot. The vulnerability is classified as high severity due to the ease of triggering it from unprivileged user space and the unavailability of any mitigation for affected systems without patching.

Mitigation

Patches are available in the Linux kernel stable releases. The fix adds proper purging of the error queue in sk_stream_kill_queues(), with synchronization against concurrent writers. System administrators should apply the latest kernel updates from their distribution. No workaround is available that does not involve changing application behavior or disabling the affected features.[3]