CVE-2022-49728: ipv6: Fix signed integer overflow in __ip6_append_data
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix signed integer overflow in __ip6_append_data
Resurrect ubsan overflow checks and ubsan report this warning,
fix it by change the variable [length] type to size_t.
UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
2147479552 + 8567 cannot be represented in type 'int'
CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x214/0x230
show_stack+0x30/0x78
dump_stack_lvl+0xf8/0x118
dump_stack+0x18/0x30
ubsan_epilogue+0x18/0x60
handle_overflow+0xd0/0xf0
__ubsan_handle_add_overflow+0x34/0x44
__ip6_append_data.isra.48+0x1598/0x1688
ip6_append_data+0x128/0x260
udpv6_sendmsg+0x680/0xdd0
inet6_sendmsg+0x54/0x90
sock_sendmsg+0x70/0x88
____sys_sendmsg+0xe8/0x368
___sys_sendmsg+0x98/0xe0
__sys_sendmmsg+0xf4/0x3b8
__arm64_sys_sendmmsg+0x34/0x48
invoke_syscall+0x64/0x160
el0_svc_common.constprop.4+0x124/0x300
do_el0_svc+0x44/0xc8
el0_svc+0x3c/0x1e8
el0t_64_sync_handler+0x88/0xb0
el0t_64_sync+0x16c/0x170
Changes since v1:
-Change the variable [length] type to unsigned, as Eric Dumazet suggested.
Changes since v2:
-Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.
Changes since v3:
-Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as
Jakub Kicinski suggested.
Security readout for executives and security teams
Plain-English summary
CVE-2022-49728 is a Linux kernel IPv6 bug where a length calculation can overflow a signed integer. The public record shows a kernel fix, but does not provide CVSS, confirmed exploitation, or a complete business-impact statement. Treat it as a kernel maintenance risk requiring timely patch validation.
Executive priority
Schedule this into the next kernel patch cycle unless local kernel exposure is broad or patch windows are overdue. Escalate if critical internet-facing Linux infrastructure depends heavily on IPv6 and cannot be patched promptly.
Technical view
The issue is in __ip6_append_data in net/ipv6/ip6_output.c. UBSAN reported signed integer overflow during the IPv6 UDP send path. The fix changes the length variable type to avoid signed overflow. Public sources list affected Linux kernel ranges and stable kernel commits.
Likely exposure
Exposure is likely on Linux systems running affected kernel versions with IPv6 networking paths present. The bundle lists Linux kernels from 2.6.12 through several later branches as affected, with fixed stable references. Distribution backports may change version-only conclusions.
Exploitation context
No provided source states active exploitation, and KEV is false. The evidence shows a sanitizer-detected overflow and a userspace-to-kernel send path, but not a public exploit, reliable impact chain, or attacker prerequisites beyond kernel reachability.
Researcher notes
The source bundle lacks CVSS, CWE, exploitability assessment, and concrete impact beyond signed integer overflow. Validate with vendor backport metadata because distro kernels may contain the fix without matching upstream version numbers.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
For Debian LTS systems, review and apply the linked Debian security update.
Confirm production images use patched distro kernels, not only upstream version labels.
Prioritize reboot or live-patch completion where kernel updates require activation.
Validation and detection
Inventory running Linux kernel versions across servers, containers hosts, and appliances.
Map each kernel to vendor advisories or the referenced stable commits.
Check whether IPv6 networking is enabled on exposed Linux hosts.
Review kernel logs for matching UBSAN overflow messages if sanitizer builds are used.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49728 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
6Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 26, 2025, 02:24 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.