Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveLinuxCVE-2022-48906
HistoryAug 22, 2024 - 2:15 a.m.

CVE-2022-48906

2024-08-2202:15:05
Linux
web.nvd.nist.gov
31
linux kernel
mptcp
vulnerability

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

Syzkaller with UBSAN uncovered a scenario where a large number of
DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN
timeout calculation:

================================================================================
UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29
shift exponent 32 is too large for 32-bit type ‘unsigned int’
CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events mptcp_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330
mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]
__mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445
mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528
process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307
worker_thread+0x95/0xe10 kernel/workqueue.c:2454
kthread+0x2f4/0x3b0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>

This change limits the maximum timeout by limiting the size of the
shift, which keeps all intermediate values in-bounds.

Affected configurations

Nvd
Vulners
Node
linuxlinux_kernelRange5.12.45.13
OR
linuxlinux_kernelRange5.135.15.27
OR
linuxlinux_kernelRange5.165.16.13
OR
linuxlinux_kernelMatch5.17rc1
OR
linuxlinux_kernelMatch5.17rc2
OR
linuxlinux_kernelMatch5.17rc3
OR
linuxlinux_kernelMatch5.17rc4
OR
linuxlinux_kernelMatch5.17rc5
OR
linuxlinux_kernelMatch5.17rc6
VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*
linuxlinux_kernel5.17cpe:2.3:o:linux:linux_kernel:5.17:rc6:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mptcp/protocol.c"
    ],
    "versions": [
      {
        "version": "6477dd39e62c",
        "lessThan": "0c3f34beb459",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "6477dd39e62c",
        "lessThan": "03ae283bd71f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "6477dd39e62c",
        "lessThan": "877d11f0332c",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mptcp/protocol.c"
    ],
    "versions": [
      {
        "version": "5.13",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.13",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.27",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16.13",
        "lessThanOrEqual": "5.16.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.17",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

redhatcve 1
osv 3
nvd 1
ubuntucve 1
vulnrichment 1
cvelist 1
debiancve 1
nessus 2
redhatcve
redhatcve
CVE-2022-48906
2024-08-22 15:15:33
osv
osv
CVE-2022-48906
2024-08-22 02:15:05
Security update for the Linux Kernel
2024-09-10 08:46:37
Security update for the Linux Kernel
2024-09-11 15:39:03
nvd
nvd
CVE-2022-48906
2024-08-22 02:15:05
ubuntucve
ubuntucve
CVE-2022-48906
2024-08-22 00:00:00
vulnrichment
vulnrichment
CVE-2022-48906 mptcp: Correctly set DATA_FIN timeout when number of retransmits is large
2024-08-22 01:30:40
cvelist
cvelist
CVE-2022-48906 mptcp: Correctly set DATA_FIN timeout when number of retransmits is large
2024-08-22 01:30:40
debiancve
debiancve
CVE-2022-48906
2024-08-22 02:15:05
nessus
nessus
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:3209-1)
2024-09-12 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:3190-1)
2024-09-11 00:00:00

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
Related for CVE-2022-48906
redhatcve1osv3nvd1ubuntucve1vulnrichment1cvelist1debiancve1nessus2