CVE-2022-49732: sock: redo the psock vs ULP protection check
In the Linux kernel, the following vulnerability has been resolved:
sock: redo the psock vs ULP protection check
Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
the new tcp_bpf_update_proto() function. I'm guessing that this
was done to allow creating psocks for non-inet sockets.
Unfortunately the destruction path for psock includes the ULP
unwind, so we need to fail the sk_psock_init() itself.
Otherwise if ULP is already present we'll notice that later,
and call tcp_update_ulp() with the sk_proto of the ULP
itself, which will most likely result in the ULP looping
its callbacks.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel socket bug involving psock and ULP state handling. The source says the wrong protection check can allow an unsafe combination, causing ULP callback looping during cleanup. Business impact is not rated in the provided record, so urgency depends on confirmed kernel exposure and vendor guidance.
Executive priority
Treat this as a patch-management item until stronger impact or exploitation evidence appears. It affects the Linux kernel, so remediation may require maintenance windows and reboots. Escalate priority for confirmed affected kernels on critical or multi-tenant infrastructure.
Technical view
The bug follows commit 8a59f9d1e3d4 moving inet_csk_has_ulp(sk) from sk_psock_init() to tcp_bpf_update_proto(). If ULP is already present, psock initialization can proceed until cleanup later calls tcp_update_ulp() with the ULP protocol itself, likely looping callbacks. Stable kernel commits are referenced as fixes.
Likely exposure
Exposure is limited to Linux systems running affected kernel code paths described in the CVE record. The bundle lists Linux kernel versions and stable commits but does not provide distribution package names, CPEs, CVSS, or deployment prerequisites. Confirm exposure through kernel version, vendor backport status, and whether relevant socket/ULP functionality is present.
Exploitation context
The provided bundle does not show CISA KEV listing, active exploitation, exploit availability, or a complete attack scenario. The evidence supports a resolved kernel logic flaw, but not real-world exploitation. Impact and practical exploitability remain incomplete from the supplied sources.
Researcher notes
The source detail is narrowly about psock versus ULP protection and cleanup behavior. No CVSS, CWE, exploit preconditions, or distro-specific fixed versions are included. Research should focus on mapping the referenced stable commits to deployed kernels without inferring broader impact from the title alone.
Mitigation direction
Apply Linux stable or distribution kernel updates containing the referenced fixes.
Check distribution advisories for exact fixed package versions and backports.
Prioritize confirmed affected kernels on shared, externally exposed, or high-value systems.
Avoid relying only on upstream version numbers when vendors backport fixes.
Track the CVE record for any later CVSS, CWE, or exploitation updates.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Compare installed kernels with vendor advisories and referenced stable commits.
Confirm whether vendor kernels include backported fixes for CVE-2022-49732.
Review kernel update status before accepting residual risk.
Document systems where exposure cannot be confirmed from available evidence.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49732 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 26, 2025, 14:57 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.