CVE-2022-50070— mptcp: do not queue data on closed subflows
Affected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d5f49190def61c47b2faff170ba8fbc48bac4371< fb9c73ef2ac2ec816efdc8b9267bc04e1369c20b | affected |
d5f49190def61c47b2faff170ba8fbc48bac4371< 8caf5c15b5288d52d9c89374d6c10fa32ee84ec5 | affected | ||
d5f49190def61c47b2faff170ba8fbc48bac4371< c886d70286bf3ad411eb3d689328a67f7102c6ae | affected | ||
5.10 | affected | ||
< 5.10 | unaffected | ||
5.15.190≤ 5.15.* | unaffected | ||
5.19.4≤ 5.19.* | unaffected | ||
6.0≤ * | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-50070
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mptcp: do not queue data on closed subflows
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: do not queue data on closed subflows Dipanjan reported a syzbot splat at close time: WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153 inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153 Modules linked in: uio_ivshmem(OE) uio(E) CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153 Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91 f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 <0f> 0b e9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d RSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00 RDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002 RBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000 R10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400 R13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258 FS: 0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0 Call Trace: <TASK> __sk_destruct+0x4f/0x8e0 net/core/sock.c:2067 sk_destruct+0xbd/0xe0 net/core/sock.c:2112 __sk_free+0xef/0x3d0 net/core/sock.c:2123 sk_free+0x78/0xa0 net/core/sock.c:2134 sock_put include/net/sock.h:1927 [inline] __mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351 __mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828 mptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586 process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289 worker_thread+0x623/0x1070 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 </TASK> The root cause of the problem is that an mptcp-level (re)transmit can race with mptcp_close() and the packet scheduler checks the subflow state before acquiring the socket lock: we can try to (re)transmit on an already closed ssk. Fix the issue checking again the subflow socket status under the subflow socket lock protection. Additionally add the missing check for the fallback-to-tcp case.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于MPTCP在关闭子流后仍排队数据导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-50070
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-50070
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-06-18 · 362 CVEs total
| CVE-2022-50104 | powerpc/xive: Fix refcount leak in xive_get_max_prio | |
| CVE-2022-50116 | tty: n_gsm: fix deadlock and link starvation in outgoing data path | |
| CVE-2022-50114 | net: 9p: fix refcount leak in p9_read_work() error handling | |
| CVE-2022-50113 | ASoc: audio-graph-card2: Fix refcount leak bug in __graph_get_type() | |
| CVE-2022-50112 | rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge | |
| CVE-2022-50111 | ASoC: mt6359: Fix refcount leak bug | |
| CVE-2022-50110 | watchdog: sp5100_tco: Fix a memory leak of EFCH MMIO resource | |
| CVE-2022-50109 | video: fbdev: amba-clcd: Fix refcount leak bugs | |
| CVE-2022-50108 | mfd: max77620: Fix refcount leak in max77620_initialise_fps | |
| CVE-2022-50106 | powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address | |
| CVE-2022-50107 | cifs: Fix memory leak when using fscache | |
| CVE-2022-50105 | powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader | |
| CVE-2022-50099 | video: fbdev: arkfb: Check the size of screen before memset_io() | |
| CVE-2022-50095 | posix-cpu-timers: Cleanup CPU timers before freeing them during exec | |
| CVE-2022-50094 | spmi: trace: fix stack-out-of-bound access in SPMI tracing functions | |
| CVE-2022-50096 | x86/kprobes: Update kcb status flag after singlestepping | |
| CVE-2022-50097 | video: fbdev: s3fb: Check the size of screen before memset_io() | |
| CVE-2022-50098 | scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts | |
| CVE-2022-50101 | video: fbdev: vt8623fb: Check the size of screen before memset_io() | |
| CVE-2022-50103 | sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed |
Showing top 20 of 362 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
Same vendor: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
V. Comments for CVE-2022-50070
No comments yet