CVE-2022-49017: tipc: re-fetch skb cb after tipc_msg_validate
In the Linux kernel, the following vulnerability has been resolved:
tipc: re-fetch skb cb after tipc_msg_validate
As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.
BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
Call Trace:
<IRQ>
tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
...
Allocated by task 47078:
kmem_cache_alloc_node+0x158/0x4d0
__alloc_skb+0x1c1/0x270
tipc_buf_acquire+0x1e/0xe0 [tipc]
tipc_msg_create+0x33/0x1c0 [tipc]
tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
tipc_link_timeout+0x8b8/0xef0 [tipc]
tipc_node_timeout+0x2a1/0x960 [tipc]
call_timer_fn+0x2d/0x1c0
...
Freed by task 47078:
tipc_msg_validate+0x7b/0x440 [tipc]
tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().
Security readout for executives and security teams
Plain-English summary
CVE-2022-49017 is a Linux kernel flaw in TIPC, a cluster/networking component. A freed network buffer can be reused incorrectly, causing a kernel use-after-free crash. The public record describes a fix but provides no CVSS score and no evidence of active exploitation.
Executive priority
Treat as a targeted Linux kernel stability risk, not a confirmed exploited emergency. Patch during the next kernel maintenance window, sooner for systems using TIPC in production clusters or sensitive environments.
Technical view
In TIPC receive crypto handling, tipc_msg_validate() may free the original skb and allocate a replacement. tipc_crypto_rcv_complete() then dereferenced the stale skb control block, triggering a KASAN use-after-free. The fix re-fetches the skb cb after tipc_msg_validate().
Likely exposure
Exposure appears limited to Linux systems with affected kernels where TIPC is enabled or used. The source bundle lists Linux kernel versions and stable commits, but exact distribution exposure depends on vendor backports and packaging.
Exploitation context
No KEV listing or cited source indicates active exploitation. The available evidence shows a kernel crash condition in TIPC processing. Public sources do not establish reliable remote exploitability, privilege requirements, or impact beyond use-after-free crash behavior.
Researcher notes
The record is sparse: no CVSS, CWE, exploit status, or distribution matrix is provided. Analysis should focus on kernel versions, TIPC enablement, and whether downstream vendors incorporated the stable commits.
Mitigation direction
Update to a vendor kernel release containing the referenced stable fix.
Check Linux distribution advisories for backported fixes and affected package versions.
If TIPC is unused, ask the vendor whether disabling it is appropriate.
Prioritize internet- or cluster-exposed systems using TIPC for earlier maintenance.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Identify systems where the TIPC module or feature is enabled.
Compare installed kernels with vendor advisories and referenced stable commits.
Review kernel changelogs for the TIPC skb cb re-fetch fix.
Monitor for kernel oops, panic, or KASAN reports involving TIPC.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49017 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.