CVE-2022-50865

In the Linux kernel, the tcp_add_backlog() function calculates a memory limit by summing sk_rcvbuf, sk_sndbuf, and 64 KiB. Since these fields are signed ints, the sum can overflow when the buffer sizes are large, resulting in a negative or erroneously small limit. This overflow can disrupt proper TCP backlog handling [1][2].

The vulnerability is in the network stack's backlog processing, triggered by normal network traffic. An attacker does not need any special access; they only need to send TCP packets that cause the receiving socket's buffers to be large enough to trigger the overflow. The overflow leads to incorrect limit calculations, potentially allowing the backlog queue to grow excessively or be incorrectly capped.

Impact: A successful exploitation could cause memory corruption, system instability, or a denial of service by exhausting kernel memory or triggering other faults. The bug is in a core networking path, so it could affect a wide range of services relying on TCP.

Both references [1][2] point to stable kernel commits that apply the fix: halving the contribution of sndbuf to the limit calculation to keep the sum within the signed int range. Users should apply these kernel updates to mitigate the issue. No workaround other than patching is known.