{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mptcp: do not queue data on closed subflows",
    "id" : "2373435",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373435"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: do not queue data on closed subflows\nDipanjan reported a syzbot splat at close time:\nWARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153\ninet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153\nModules linked in: uio_ivshmem(OE) uio(E)\nCPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G           OE\n5.19.0-rc6-g2eae0556bb9d #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153\nCode: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91\nf9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 <0f> 0b\ne9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d\nRSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00\nRDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002\nRBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000\nR10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400\nR13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258\nFS:  0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0\nCall Trace:\n<TASK>\n__sk_destruct+0x4f/0x8e0 net/core/sock.c:2067\nsk_destruct+0xbd/0xe0 net/core/sock.c:2112\n__sk_free+0xef/0x3d0 net/core/sock.c:2123\nsk_free+0x78/0xa0 net/core/sock.c:2134\nsock_put include/net/sock.h:1927 [inline]\n__mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351\n__mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828\nmptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586\nprocess_one_work+0x9cc/0x1650 kernel/workqueue.c:2289\nworker_thread+0x623/0x1070 kernel/workqueue.c:2436\nkthread+0x2e9/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302\n</TASK>\nThe root cause of the problem is that an mptcp-level (re)transmit can\nrace with mptcp_close() and the packet scheduler checks the subflow\nstate before acquiring the socket lock: we can try to (re)transmit on\nan already closed ssk.\nFix the issue checking again the subflow socket status under the\nsubflow socket lock protection. Additionally add the missing check\nfor the fallback-to-tcp case." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19222",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.166.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19222",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.166.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19222",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.166.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-03T00:00:00Z",
    "advisory" : "RHSA-2025:19492",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.151.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19268",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.151.1.rt21.223.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50070\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50070\nhttps://lore.kernel.org/linux-cve-announce/2025061853-CVE-2022-50070-87b5@gregkh/T" ],
  "name" : "CVE-2022-50070",
  "csaw" : false
}