{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48819", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.901Z", "datePublished": "2024-07-16T11:44:06.619Z", "dateUpdated": "2025-05-04T08:24:00.313Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:24:00.313Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\n\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\n\n\tWARN_ON(sk_forward_alloc_get(sk));\n\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\n\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\n\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/tcp.c"], "versions": [{"version": "9b65b17db72313b7a4fe9bc9502928c88be57986", "lessThan": "47f3860c4931175f112f28dcac66eacca9b1040f", "status": "affected", "versionType": "git"}, {"version": "9b65b17db72313b7a4fe9bc9502928c88be57986", "lessThan": "f8d9d938514f46c4892aff6bfe32f425e84d81cc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/tcp.c"], "versions": [{"version": "5.16", "status": "affected"}, {"version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.10", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.16.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f"}, {"url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc"}], "title": "tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.635Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:05.945399Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:12.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.635Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:05.945399Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:21.346Z"}}], "cna": {"title": "tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "9b65b17db72313b7a4fe9bc9502928c88be57986", "lessThan": "47f3860c4931175f112f28dcac66eacca9b1040f", "versionType": "git"}, {"status": "affected", "version": "9b65b17db72313b7a4fe9bc9502928c88be57986", "lessThan": "f8d9d938514f46c4892aff6bfe32f425e84d81cc", "versionType": "git"}], "programFiles": ["net/ipv4/tcp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.16"}, {"status": "unaffected", "version": "0", "lessThan": "5.16", "versionType": "semver"}, {"status": "unaffected", "version": "5.16.10", "versionType": "semver", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/ipv4/tcp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f"}, {"url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\n\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\n\n\tWARN_ON(sk_forward_alloc_get(sk));\n\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\n\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\n\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.10", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:24:00.313Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48819", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:24:00.313Z", "dateReserved": "2024-07-16T11:38:08.901Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-16T11:44:06.619Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "679523BA-1392-404B-AB85-F5A5408B1ECC", "versionEndExcluding": "5.16.10", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\n\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\n\n\tWARN_ON(sk_forward_alloc_get(sk));\n\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\n\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\n\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: cuidado del caso mixto splice()/sendmsg(MSG_ZEROCOPY) syzbot descubri\u00f3 que mezclar llamadas sendpage() y sendmsg(MSG_ZEROCOPY) en el mismo socket TCP desencadenar\u00eda nuevamente el infame advertencia en inet_sock_destruct() WARN_ON(sk_forward_alloc_get(sk)); Si bien Talal tuvo en cuenta una combinaci\u00f3n de datos copiados normales y uno MSG_ZEROCOPY en el mismo skb, la ruta sendpage() se olvid\u00f3. Queremos que el cobro se realice por sendpage(), porque las p\u00e1ginas podr\u00edan provenir de una tuber\u00eda. Lo que falta es degradar el estado de copia cero pura para garantizar que sk_forward_alloc permanezca sincronizado. Agregue el asistente tcp_downgrade_zcopy_pure() para que podamos usarlo desde las dos personas que llaman."}], "id": "CVE-2022-48819", "lastModified": "2025-10-07T19:53:45.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-16T12:15:05.883", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case", "id": "2298158", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298158"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\nWARN_ON(sk_forward_alloc_get(sk));\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers."], "name": "CVE-2022-48819", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48819\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48819\nhttps://lore.kernel.org/linux-cve-announce/2024071649-CVE-2022-48819-16f6@gregkh/T"], "statement": "This vulnerability is considered to be of Moderate Severity due to very limited exploitability.", "threat_severity": "Moderate"}

{"created": "2025-07-13T11:22:24.290374+00:00", "updated": "2025-07-13T11:22:24.290440+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}