LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49017: tipc: re-fetch skb cb after tipc_msg_validate

In the Linux kernel, the following vulnerability has been resolved: tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-49017 is a Linux kernel flaw in TIPC, a cluster/networking component. A freed network buffer can be reused incorrectly, causing a kernel use-after-free crash. The public record describes a fix but provides no CVSS score and no evidence of active exploitation.

Executive priority

Treat as a targeted Linux kernel stability risk, not a confirmed exploited emergency. Patch during the next kernel maintenance window, sooner for systems using TIPC in production clusters or sensitive environments.

Technical view

In TIPC receive crypto handling, tipc_msg_validate() may free the original skb and allocate a replacement. tipc_crypto_rcv_complete() then dereferenced the stale skb control block, triggering a KASAN use-after-free. The fix re-fetches the skb cb after tipc_msg_validate().

Likely exposure

Exposure appears limited to Linux systems with affected kernels where TIPC is enabled or used. The source bundle lists Linux kernel versions and stable commits, but exact distribution exposure depends on vendor backports and packaging.

Exploitation context

No KEV listing or cited source indicates active exploitation. The available evidence shows a kernel crash condition in TIPC processing. Public sources do not establish reliable remote exploitability, privilege requirements, or impact beyond use-after-free crash behavior.

Researcher notes

The record is sparse: no CVSS, CWE, exploit status, or distribution matrix is provided. Analysis should focus on kernel versions, TIPC enablement, and whether downstream vendors incorporated the stable commits.

Mitigation direction

  • Update to a vendor kernel release containing the referenced stable fix.
  • Check Linux distribution advisories for backported fixes and affected package versions.
  • If TIPC is unused, ask the vendor whether disabling it is appropriate.
  • Prioritize internet- or cluster-exposed systems using TIPC for earlier maintenance.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Identify systems where the TIPC module or feature is enabled.
  • Compare installed kernels with vendor advisories and referenced stable commits.
  • Review kernel changelogs for the TIPC skb cb re-fetch fix.
  • Monitor for kernel oops, panic, or KASAN reports involving TIPC.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49017 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxfc1b6d6de2208774efd2a20bf0daddb02d18b1e0, fc1b6d6de2208774efd2a20bf0daddb02d18b1e0, fc1b6d6de2208774efd2a20bf0daddb02d18b1e0, fc1b6d6de2208774efd2a20bf0daddb02d18b1e0unaffected
LinuxLinux5.5, 0, 5.10.158, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.