CVE-2022-48819: tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case
In the Linux kernel, the following vulnerability has been resolved:
tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case
syzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)
calls over the same TCP socket would again trigger the
infamous warning in inet_sock_destruct()
WARN_ON(sk_forward_alloc_get(sk));
While Talal took into account a mix of regular copied data
and MSG_ZEROCOPY one in the same skb, the sendpage() path
has been forgotten.
We want the charging to happen for sendpage(), because
pages could be coming from a pipe. What is missing is the
downgrading of pure zerocopy status to make sure
sk_forward_alloc will stay synced.
Add tcp_downgrade_zcopy_pure() helper so that we can
use it from the two callers.
Security readout for executives and security teams
Plain-English summary
This Linux kernel TCP bug involves incorrect memory accounting when two data-sending paths are mixed on the same socket. The public bundle does not show active exploitation, CVSS, or business-impact details. Treat it as a kernel stability and reliability issue until vendor guidance says otherwise.
Executive priority
Moderate operational priority, but severity is unknown. Patch through normal kernel maintenance unless vendor advisories raise impact for your environment or affected kernels are widely deployed on critical shared systems.
Technical view
The issue occurs when sendpage or splice traffic is mixed with sendmsg(MSG_ZEROCOPY) on a TCP socket. The sendpage path missed downgrading pure zerocopy status, leaving sk_forward_alloc accounting out of sync and triggering inet_sock_destruct() warnings. Stable kernel commits add tcp_downgrade_zcopy_pure().
Likely exposure
Exposure appears limited to Linux systems running affected 5.16-era kernel builds or kernels carrying the referenced vulnerable TCP behavior without the stable fixes. The bundle names Linux as the affected vendor and product, but provides no distribution-specific package list.
Exploitation context
The bundle does not cite KEV listing, active exploitation, public exploit use, or attacker prerequisites. The finding originated from syzbot testing, which indicates kernel fuzzing discovery rather than confirmed exploitation in the wild.
Researcher notes
Evidence is limited to the CVE text and two Linux stable commits. No CVSS, CWE, exploit status, or distribution mappings are provided. Analysis should stay focused on TCP zerocopy/sendpage accounting and affected kernel lineage.
Mitigation direction
Check your Linux distribution advisory for CVE-2022-48819 status.
Update affected kernels to versions containing the referenced stable fixes.
Prioritize systems using custom or older 5.16-era kernels.
Avoid assuming distribution packages are affected without vendor confirmation.
Validation and detection
Inventory Linux kernel versions across servers and appliances.
Compare kernel builds against vendor advisories for CVE-2022-48819.
Confirm whether referenced stable commits are included in custom kernels.
Review kernel logs for recurring TCP socket destruction warnings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48819 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.