What is CVE-2022-49865?

CVE-2022-49865 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10, affecting Linux kernel versions from 2.6.25 onward and patched in 4.9.334, 4.14.300, 4.19.267 and others. CVE-2022-49865 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-49865?

CVE-2022-49865 has a CVSS score of 7.1 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Is there a patch available for CVE-2022-49865?

Yes, CVE-2022-49865 has been patched. Fixed versions include 4.9.334, 4.14.300, 4.19.267 and others. If you are running Linux kernel 2.6.25 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-49865 actively exploited?

CVE-2022-49865 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2022-49865

High

In the Linux kernel, the following vulnerability has been resolved: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved remained uninitialized, resulting in a 1-byte infoleak: BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 __netdev_start_xmit ./include/linux/netdevice.h:4841 netdev_start_xmit ./include/linux/netdevice.h:4857 xmit_one net/core/dev.c:3590 dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 dev_queue_xmit ./include/linux/netdevice.h:3009 __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1263 netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 nlmsg_unicast ./include/net/netlink.h:1061 rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 ... Uninit was created at: slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 slab_alloc_node mm/slub.c:3398 __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:954 __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 kmalloc_reserve net/core/skbuff.c:437 __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 alloc_skb ./include/linux/skbuff.h:1267 nlmsg_new ./include/net/netlink.h:964 ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 ... This patch ensures that the reserved field is always initialized.

Package Linux Kernel

Published 2025-05-01

Last modified 2026-01-23

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.1

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Weakness type

CWE-909

CVE-2022-49865 is classified as CWE-909

See CWE-909 on MITRE CWE for full details on this weakness type.

Affected versions

Linux kernel versions 2.6.25 and later are affected. Fixed in 4.9.334, 4.14.300, 4.19.267, 5.4.225, 5.10.155, 5.15.79, 6.0.9, 6.1 and their respective stable series.

Affected from

≥ 2.6.25

Fixed in

✓ 4.9.334 4.9.x ✓ 4.14.300 4.14.x ✓ 4.19.267 4.19.x ✓ 5.4.225 5.4.x ✓ 5.10.155 5.10.x ✓ 5.15.79 5.15.x ✓ 6.0.9 6.0.x ✓ 6.1

References

The following references provide additional information about CVE-2022-49865 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2acb2779b147decd300c117683d5a32ce61c75d6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/49e92ba5ecd7d72ba369dde2ccff738edd028a47
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2022-49865

Severity High

CVSS score 7.1 / 10

CVSS version 3.1

Published 2025-05-01

Modified 2026-01-23

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2022-49865?

CVE-2022-49865 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10 . It affects Linux kernel versions from 2.6.25 onward and has been patched in 4.9.334, 4.14.300, 4.19.267 and others. CVE-2022-49865 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2022-49865?

CVE-2022-49865 has a CVSS score of 7.1 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.
Is there a patch available for CVE-2022-49865?

Yes — CVE-2022-49865 has been patched. Fixed versions include 4.9.334, 4.14.300, 4.19.267 and others. If you are running Linux kernel 2.6.25 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-49865 actively exploited?

No — CVE-2022-49865 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.