CVE-2022-49973 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-49973?

CVE-2022-49973 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's sk_msg_recvmsg() function can cause kernel crashes when handling socket redirection via sockmap. This affects Linux systems using BPF sockmap redirection without stream parsers/verdicts. Attackers with local access can trigger denial of service.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's sk_msg_recvmsg() function can cause kernel crashes when handling socket redirection via sockmap. This affects Linux systems using BPF sockmap redirection without stream parsers/verdicts. Attackers with local access can trigger denial of service.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before fixes in stable trees (specific commits: 10ee118a1756141f8e9c87aa7344ed12b41630a8, 583585e48d965338e73e1eb383768d16e0922d73, de22cba333d8699ad77e79f862fe1320cb1284de)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only affects systems using BPF sockmap redirection without stream_parser/stream_verdict/skb_verdict. Not vulnerable in default configurations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially disrupting critical services.

🟠

Likely Case

Local denial of service through kernel crash, requiring system reboot to recover.

🟢

If Mitigated

Minimal impact if systems are patched or don't use affected BPF sockmap configurations.

🌐 Internet-Facing: LOW - Requires local access or ability to execute code on the system.

🏢 Internal Only: MEDIUM - Local attackers or compromised accounts could cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger specific BPF sockmap operations. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel trees via referenced commits

Vendor Advisory: https://git.kernel.org/stable/c/10ee118a1756141f8e9c87aa7344ed12b41630a8

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fixes 2. Reboot system 3. Verify kernel version after reboot

🔧 Temporary Workarounds

Disable BPF sockmap redirection

linux

Prevent use of vulnerable BPF sockmap functionality

sysctl -w net.core.bpf_jit_enable=0
Remove BPF programs using sockmap redirection

🧯 If You Can't Patch

Restrict local user access to prevent exploitation
Monitor for kernel panic/crash events and investigate root causes

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if sockmap BPF programs are in use: uname -r and bpftool prog list

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and no crashes occur during sockmap operations

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference in sk_msg_recvmsg
System crash/reboot events

Network Indicators:

Unusual BPF program activity

SIEM Query:

search 'kernel panic' OR 'NULL pointer dereference' AND 'sk_msg_recvmsg'

📊 Metadata

CVE ID: CVE-2022-49973

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.01% exploit probability (2th percentile)

Published: June 18, 2025

Last Updated: November 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49973, you might also want to check these: