{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data",
    "id" : "2402257",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402257"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, sockmap: Fix repeated calls to sock_put() when msg has more_data\nIn tcp_bpf_send_verdict() redirection, the eval variable is assigned to\n__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,\nsock_put() will be called multiple times.\nWe should reset the eval variable to __SK_NONE every time more_data\nstarts.\nThis causes:\nIPv4: Attempt to release TCP socket in state 1 00000000b4c925d7\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110\nModules linked in:\nCPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1\nHardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014\nCall Trace:\n<TASK>\n__tcp_transmit_skb+0xa1b/0xb90\n? __alloc_skb+0x8c/0x1a0\n? __kmalloc_node_track_caller+0x184/0x320\ntcp_write_xmit+0x22a/0x1110\n__tcp_push_pending_frames+0x32/0xf0\ndo_tcp_sendpages+0x62d/0x640\ntcp_bpf_push+0xae/0x2c0\ntcp_bpf_sendmsg_redir+0x260/0x410\n? preempt_count_add+0x70/0xa0\ntcp_bpf_send_verdict+0x386/0x4b0\ntcp_bpf_sendmsg+0x21b/0x3b0\nsock_sendmsg+0x58/0x70\n__sys_sendto+0xfa/0x170\n? xfd_validate_state+0x1d/0x80\n? switch_fpu_return+0x59/0xe0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x37/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "A reference-count flaw was found in the Linux kernel Berkeley Packet Filter (BPF) sockmap implementation. When processing messages with remaining data, the same Transmission Control Protocol (TCP) socket reference could be released more than once. \nA local user running BPF sockmap programs could use this flaw to trigger a use-after-free and crash the system, resulting in a denial of service." ],
  "statement" : "The flaw arises because the verdict state was not reset at boundaries where additional message data arrives, causing the same socket reference to be dropped more than once. The fix resets the internal verdict state when handling continued data, preventing double release.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1988",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-372.9.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50536\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50536\nhttps://lore.kernel.org/linux-cve-announce/2025100754-CVE-2022-50536-baea@gregkh/T" ],
  "name" : "CVE-2022-50536",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module bpf from being loaded.\nPlease see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}