CVE-2022-50259

UNKNOWN 0.0

bpf, sockmap: fix race in sock_map_free()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: fix race in sock_map_free() sock_map_free() calls release_sock(sk) without owning a reference on the socket. This can cause use-after-free as syzbot found [1] Jakub Sitnicki already took care of a similar issue in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") [1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] __sock_put include/net/sock.h:779 [inline] tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 release_sock+0xaf/0x1c0 net/core/sock.c:3468 sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Sep 15, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

20ae0cb8983b05136d5293c47fadc99a8ca8ca2d < 4cabc3af4a6f36c222fecb15858c1060e59218e7 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b < be719496ae6a7fc325e9e5056a52f63ebc84cc0c 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b < a443c55d96dede82a724df6e70a318ad15c199e1 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b < e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b < 5c3568166129bc73fd6b37748d2d8f95cd8f22f3 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b < 0a182f8d607464911756b4dbef5d6cad8de22469

Linux / Linux

5.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/4cabc3af4a6f36c222fecb15858c1060e59218e7 git.kernel.org: https://git.kernel.org/stable/c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c git.kernel.org: https://git.kernel.org/stable/c/a443c55d96dede82a724df6e70a318ad15c199e1 git.kernel.org: https://git.kernel.org/stable/c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62 git.kernel.org: https://git.kernel.org/stable/c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3 git.kernel.org: https://git.kernel.org/stable/c/0a182f8d607464911756b4dbef5d6cad8de22469