LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49732: sock: redo the psock vs ULP protection check

In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is already present we'll notice that later, and call tcp_update_ulp() with the sk_proto of the ULP itself, which will most likely result in the ULP looping its callbacks.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel socket bug involving psock and ULP state handling. The source says the wrong protection check can allow an unsafe combination, causing ULP callback looping during cleanup. Business impact is not rated in the provided record, so urgency depends on confirmed kernel exposure and vendor guidance.

Executive priority

Treat this as a patch-management item until stronger impact or exploitation evidence appears. It affects the Linux kernel, so remediation may require maintenance windows and reboots. Escalate priority for confirmed affected kernels on critical or multi-tenant infrastructure.

Technical view

The bug follows commit 8a59f9d1e3d4 moving inet_csk_has_ulp(sk) from sk_psock_init() to tcp_bpf_update_proto(). If ULP is already present, psock initialization can proceed until cleanup later calls tcp_update_ulp() with the ULP protocol itself, likely looping callbacks. Stable kernel commits are referenced as fixes.

Likely exposure

Exposure is limited to Linux systems running affected kernel code paths described in the CVE record. The bundle lists Linux kernel versions and stable commits but does not provide distribution package names, CPEs, CVSS, or deployment prerequisites. Confirm exposure through kernel version, vendor backport status, and whether relevant socket/ULP functionality is present.

Exploitation context

The provided bundle does not show CISA KEV listing, active exploitation, exploit availability, or a complete attack scenario. The evidence supports a resolved kernel logic flaw, but not real-world exploitation. Impact and practical exploitability remain incomplete from the supplied sources.

Researcher notes

The source detail is narrowly about psock versus ULP protection and cleanup behavior. No CVSS, CWE, exploit preconditions, or distro-specific fixed versions are included. Research should focus on mapping the referenced stable commits to deployed kernels without inferring broader impact from the title alone.

Mitigation direction

  • Apply Linux stable or distribution kernel updates containing the referenced fixes.
  • Check distribution advisories for exact fixed package versions and backports.
  • Prioritize confirmed affected kernels on shared, externally exposed, or high-value systems.
  • Avoid relying only on upstream version numbers when vendors backport fixes.
  • Track the CVE record for any later CVSS, CWE, or exploitation updates.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Compare installed kernels with vendor advisories and referenced stable commits.
  • Confirm whether vendor kernels include backported fixes for CVE-2022-49732.
  • Review kernel update status before accepting residual risk.
  • Document systems where exposure cannot be confirmed from available evidence.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49732 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8a59f9d1e3d4340659fdfee8879dc09a6f2546e1, 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1, 8a59f9d1e3d4340659fdfee8879dc09a6f2546e1unaffected
LinuxLinux5.13, 0, 5.15.51, 5.18.8, 5.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.