{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: rxrpc: Fix locking in rxrpc's sendmsg",
    "id" : "2373619",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373619"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-413",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrxrpc: Fix locking in rxrpc's sendmsg\nFix three bugs in the rxrpc's sendmsg implementation:\n(1) rxrpc_new_client_call() should release the socket lock when returning\nan error from rxrpc_get_call_slot().\n(2) rxrpc_wait_for_tx_window_intr() will return without the call mutex\nheld in the event that we're interrupted by a signal whilst waiting\nfor tx space on the socket or relocking the call mutex afterwards.\nFix this by: (a) moving the unlock/lock of the call mutex up to\nrxrpc_send_data() such that the lock is not held around all of\nrxrpc_wait_for_tx_window*() and (b) indicating to higher callers\nwhether we're return with the lock dropped.  Note that this means\nrecvmsg() will not block on this call whilst we're waiting.\n(3) After dropping and regaining the call mutex, rxrpc_send_data() needs\nto go and recheck the state of the tx_pending buffer and the\ntx_total_len check in case we raced with another sendmsg() on the same\ncall.\nThinking on this some more, it might make sense to have different locks for\nsendmsg() and recvmsg().  There's probably no need to make recvmsg() wait\nfor sendmsg().  It does mean that recvmsg() can return MSG_EOR indicating\nthat a call is dead before a sendmsg() to that call returns - but that can\ncurrently happen anyway.\nWithout fix (2), something like the following can be induced:\nWARNING: bad unlock balance detected!\n5.16.0-rc6-syzkaller #0 Not tainted\n-------------------------------------\nsyz-executor011/3597 is trying to release lock (&call->user_mutex) at:\n[<ffffffff885163a3>] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\nbut there are no more locks to release!\nother info that might help us debug this:\nno locks held by syz-executor011/3597.\n...\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_unlock_imbalance_bug include/trace/events/lock.h:58 [inline]\n__lock_release kernel/locking/lockdep.c:5306 [inline]\nlock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657\n__mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900\nrxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\nrxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561\nsock_sendmsg_nosec net/socket.c:704 [inline]\nsock_sendmsg+0xcf/0x120 net/socket.c:724\n____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n__sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this]" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49998\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49998\nhttps://lore.kernel.org/linux-cve-announce/2025061827-CVE-2022-49998-d4dd@gregkh/T" ],
  "name" : "CVE-2022-49998",
  "csaw" : false
}