What is CVE-2022-50838?

CVE-2022-50838 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 4.9.291 onward and patched in 4.9.337, 4.14.303, 4.19.270 and others. CVE-2022-50838 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-50838?

CVE-2022-50838 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2022-50838?

Yes, CVE-2022-50838 has been patched. Fixed versions include 4.9.337, 4.14.303, 4.19.270 and others. If you are running Linux kernel 4.9.291 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-50838 actively exploited?

CVE-2022-50838 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2022-50838

In the Linux kernel, the following vulnerability has been resolved: net: stream: purge sk_error_queue in sk_stream_kill_queues() Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers.

Package Linux Kernel

Published 2025-12-30

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 4.9.291, 4.14.256, 4.19.218, 5.4.160, 5.10.80, 5.15.3, 4.4.293, 5.14.19, 5.16 and later are affected. Fixed in 4.9.337, 4.14.303, 4.19.270, 5.4.229, 5.10.163, 5.15.86, 6.0.16, 6.1.2, 6.2 and their respective stable series.

Affected from

≥ 4.9.291 ≥ 4.14.256 ≥ 4.19.218 ≥ 5.4.160 ≥ 5.10.80 ≥ 5.15.3 ≥ 4.4.293 ≥ 5.14.19 ≥ 5.16

Fixed in

✓ 4.9.337 4.9.x ✓ 4.14.303 4.14.x ✓ 4.19.270 4.19.x ✓ 5.4.229 5.4.x ✓ 5.10.163 5.10.x ✓ 5.15.86 5.15.x ✓ 6.0.16 6.0.x ✓ 6.1.2 6.1.x ✓ 6.2

References

The following references provide additional information about CVE-2022-50838 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/4f1d37ff4226eb99d6b69e9f4518e279e1a851bf
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6f00bd0402a1e3d2d556afba57c045bd7931e4d3
Patch
Kernel patch commit
https://git.kernel.org/stable/c/8c330c36b3970d0917f48827fa6c7a9c75aa4602
Patch

9 patch commits total View all on NVD

Frequently asked questions

What is CVE-2022-50838?

CVE-2022-50838 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.9.291 onward and has been patched in 4.9.337, 4.14.303, 4.19.270 and others. CVE-2022-50838 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2022-50838?

Yes — CVE-2022-50838 has been patched. Fixed versions include 4.9.337, 4.14.303, 4.19.270 and others. If you are running Linux kernel 4.9.291 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-50838 actively exploited?

No — CVE-2022-50838 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.