What is CVE-2022-49979?

CVE-2022-49979 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, affecting Linux kernel versions from 5.15.22 onward and patched in 5.15.65, 5.19.7 and 6.0. CVE-2022-49979 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-49979?

CVE-2022-49979 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2022-49979?

Yes, CVE-2022-49979 has been patched. Fixed versions include 5.15.65, 5.19.7 and 6.0. If you are running Linux kernel 5.15.22 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-49979 actively exploited?

CVE-2022-49979 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2022-49979

Medium

In the Linux kernel, the following vulnerability has been resolved: net: fix refcount bug in sk_psock_get (2) Syzkaller reports refcount bug as follows: ------------[ cut here ]------------ refcount_t: saturated; leaking memory. WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19 Modules linked in: CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0 <TASK> __refcount_add_not_zero include/linux/refcount.h:163 [inline] __refcount_inc_not_zero include/linux/refcount.h:227 [inline] refcount_inc_not_zero include/linux/refcount.h:245 [inline] sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439 tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091 tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983 tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057 tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659 tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682 sk_backlog_rcv include/net/sock.h:1061 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2849 release_sock+0x54/0x1b0 net/core/sock.c:3404 inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909 __sys_shutdown_sock net/socket.c:2331 [inline] __sys_shutdown_sock net/socket.c:2325 [inline] __sys_shutdown+0xf1/0x1b0 net/socket.c:2343 __do_sys_shutdown net/socket.c:2351 [inline] __se_sys_shutdown net/socket.c:2349 [inline] __x64_sys_shutdown+0x50/0x70 net/socket.c:2349 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> During SMC fallback process in connect syscall, kernel will replaces TCP with SMC. In order to forward wakeup smc socket waitqueue after fallback, kernel will sets clcsk->sk_user_data to origin smc socket in smc_fback_replace_callbacks(). Later, in shutdown syscall, kernel will calls sk_psock_get(), which treats the clcsk->sk_user_data as psock type, triggering the refcnt warning. So, the root cause is that smc and psock, both will use sk_user_data field. So they will mismatch this field easily. This patch solves it by using another bit(defined as SK_USER_DATA_PSOCK) in PTRMASK, to mark whether sk_user_data points to a psock object or not. This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e ("net, sk_msg: Clear sk_user_data pointer on clone if tagged"). For there will possibly be more flags in the sk_user_data field, this patch also refactor sk_user_data flags code to be more generic to improve its maintainability.

Package Linux Kernel

Published 2025-06-18

Last modified 2025-12-23

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions

Linux kernel versions 5.15.22, 5.16.8, 5.17 and later are affected. Fixed in 5.15.65, 5.19.7, 6.0 and their respective stable series.

Affected from

≥ 5.15.22 ≥ 5.16.8 ≥ 5.17

Fixed in

✓ 5.15.65 5.15.x ✓ 5.19.7 5.19.x ✓ 6.0

References

The following references provide additional information about CVE-2022-49979 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/2a0133723f9ebeb751cfce19f74ec07e108bef1f
Patch
Kernel patch commit
https://git.kernel.org/stable/c/86026be8535c16fcc5e4f960286faf04d7f77815
Patch
Kernel patch commit
https://git.kernel.org/stable/c/a5d1cb908131e939bd8b63b8e5e23365bbc2edaf
Patch

Details

CVE ID CVE-2022-49979

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2025-06-18

Modified 2025-12-23

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2022-49979?

CVE-2022-49979 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . It affects Linux kernel versions from 5.15.22 onward and has been patched in 5.15.65, 5.19.7 and 6.0. CVE-2022-49979 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2022-49979?

CVE-2022-49979 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2022-49979?

Yes — CVE-2022-49979 has been patched. Fixed versions include 5.15.65, 5.19.7 and 6.0. If you are running Linux kernel 5.15.22 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-49979 actively exploited?

No — CVE-2022-49979 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.