{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49865", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.237Z", "datePublished": "2025-05-01T14:10:17.673Z", "dateUpdated": "2025-05-04T08:47:15.815Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:47:15.815Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network\n\nWhen copying a `struct ifaddrlblmsg` to the network, __ifal_reserved\nremained uninitialized, resulting in a 1-byte infoleak:\n\n BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841\n __netdev_start_xmit ./include/linux/netdevice.h:4841\n netdev_start_xmit ./include/linux/netdevice.h:4857\n xmit_one net/core/dev.c:3590\n dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606\n __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256\n dev_queue_xmit ./include/linux/netdevice.h:3009\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:307\n __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338\n __netlink_sendskb net/netlink/af_netlink.c:1263\n netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272\n netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360\n nlmsg_unicast ./include/net/netlink.h:1061\n rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758\n ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n ...\n Uninit was created at:\n slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742\n slab_alloc_node mm/slub.c:3398\n __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437\n __do_kmalloc_node mm/slab_common.c:954\n __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975\n kmalloc_reserve net/core/skbuff.c:437\n __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509\n alloc_skb ./include/linux/skbuff.h:1267\n nlmsg_new ./include/net/netlink.h:964\n ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540\n rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319\n netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921\n ...\n\nThis patch ensures that the reserved field is always initialized."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/addrlabel.c"], "versions": [{"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "568a47ff756f913e8b374c2af9d22cd2c772c744", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "6d26d0587abccb9835382a0b53faa7b9b1cd83e3", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "58cd7fdc8c1e6c7873acc08f190069fed88d1c12", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "a033b86c7f7621fde31f0364af8986f43b44914f", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "2acb2779b147decd300c117683d5a32ce61c75d6", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "49e92ba5ecd7d72ba369dde2ccff738edd028a47", "status": "affected", "versionType": "git"}, {"version": "2a8cc6c89039e0530a3335954253b76ed0f9339a", "lessThan": "c23fb2c82267638f9d206cb96bb93e1f93ad7828", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/addrlabel.c"], "versions": [{"version": "2.6.25", "status": "affected"}, {"version": "0", "lessThan": "2.6.25", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.334", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.300", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.267", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.225", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.155", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.79", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.9", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "4.9.334"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "4.14.300"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "4.19.267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.4.225"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.10.155"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.15.79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.0.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/568a47ff756f913e8b374c2af9d22cd2c772c744"}, {"url": "https://git.kernel.org/stable/c/0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf"}, {"url": "https://git.kernel.org/stable/c/6d26d0587abccb9835382a0b53faa7b9b1cd83e3"}, {"url": "https://git.kernel.org/stable/c/58cd7fdc8c1e6c7873acc08f190069fed88d1c12"}, {"url": "https://git.kernel.org/stable/c/a033b86c7f7621fde31f0364af8986f43b44914f"}, {"url": "https://git.kernel.org/stable/c/2acb2779b147decd300c117683d5a32ce61c75d6"}, {"url": "https://git.kernel.org/stable/c/49e92ba5ecd7d72ba369dde2ccff738edd028a47"}, {"url": "https://git.kernel.org/stable/c/c23fb2c82267638f9d206cb96bb93e1f93ad7828"}], "title": "ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network\n\nWhen copying a `struct ifaddrlblmsg` to the network, __ifal_reserved\nremained uninitialized, resulting in a 1-byte infoleak:\n\n BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841\n __netdev_start_xmit ./include/linux/netdevice.h:4841\n netdev_start_xmit ./include/linux/netdevice.h:4857\n xmit_one net/core/dev.c:3590\n dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606\n __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256\n dev_queue_xmit ./include/linux/netdevice.h:3009\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:307\n __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338\n __netlink_sendskb net/netlink/af_netlink.c:1263\n netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272\n netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360\n nlmsg_unicast ./include/net/netlink.h:1061\n rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758\n ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n ...\n Uninit was created at:\n slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742\n slab_alloc_node mm/slub.c:3398\n __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437\n __do_kmalloc_node mm/slab_common.c:954\n __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975\n kmalloc_reserve net/core/skbuff.c:437\n __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509\n alloc_skb ./include/linux/skbuff.h:1267\n nlmsg_new ./include/net/netlink.h:964\n ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540\n rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319\n netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921\n ...\n\nThis patch ensures that the reserved field is always initialized."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipv6: addrlabel: corregir fuga de informaci\u00f3n al enviar struct ifaddrlblmsg a la red Al copiar un `struct ifaddrlblmsg` a la red, __ifal_reserved permaneci\u00f3 sin inicializar, lo que result\u00f3 en una fuga de informaci\u00f3n de 1 byte: ERROR: KMSAN: kernel-network-infoleak en __netdev_start_xmit ./include/linux/netdevice.h:4841 __netdev_start_xmit ./include/linux/netdevice.h:4841 netdev_start_xmit ./include/linux/netdevice.h:4857 xmit_one net/core/dev.c:3590 dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 dev_queue_xmit ./include/linux/netdevice.h:3009 __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1263 netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 nlmsg_unicast ./include/net/netlink.h:1061 rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 ... Uninit se cre\u00f3 en: slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 slab_alloc_node mm/slub.c:3398 __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:954 __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 kmalloc_reserve net/core/skbuff.c:437 __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 alloc_skb ./include/linux/skbuff.h:1267 nlmsg_new ./include/net/netlink.h:964 ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 ... Este parche garantiza que el campo reservado siempre se inicialice."}], "id": "CVE-2022-49865", "lastModified": "2025-05-02T13:52:51.693", "metrics": {}, "published": "2025-05-01T15:16:11.420", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2acb2779b147decd300c117683d5a32ce61c75d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/49e92ba5ecd7d72ba369dde2ccff738edd028a47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/568a47ff756f913e8b374c2af9d22cd2c772c744"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58cd7fdc8c1e6c7873acc08f190069fed88d1c12"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d26d0587abccb9835382a0b53faa7b9b1cd83e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a033b86c7f7621fde31f0364af8986f43b44914f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c23fb2c82267638f9d206cb96bb93e1f93ad7828"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network", "id": "2363434", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363434"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network\nWhen copying a `struct ifaddrlblmsg` to the network, __ifal_reserved\nremained uninitialized, resulting in a 1-byte infoleak:\nBUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841\n__netdev_start_xmit ./include/linux/netdevice.h:4841\nnetdev_start_xmit ./include/linux/netdevice.h:4857\nxmit_one net/core/dev.c:3590\ndev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606\n__dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256\ndev_queue_xmit ./include/linux/netdevice.h:3009\n__netlink_deliver_tap_skb net/netlink/af_netlink.c:307\n__netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325\nnetlink_deliver_tap net/netlink/af_netlink.c:338\n__netlink_sendskb net/netlink/af_netlink.c:1263\nnetlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272\nnetlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360\nnlmsg_unicast ./include/net/netlink.h:1061\nrtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758\nip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628\nrtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n...\nUninit was created at:\nslab_post_alloc_hook+0x118/0xb00 mm/slab.h:742\nslab_alloc_node mm/slub.c:3398\n__kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437\n__do_kmalloc_node mm/slab_common.c:954\n__kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975\nkmalloc_reserve net/core/skbuff.c:437\n__alloc_skb+0x27a/0xab0 net/core/skbuff.c:509\nalloc_skb ./include/linux/skbuff.h:1267\nnlmsg_new ./include/net/netlink.h:964\nip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608\nrtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\nnetlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540\nrtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109\nnetlink_unicast_kernel net/netlink/af_netlink.c:1319\nnetlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345\nnetlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921\n...\nThis patch ensures that the reserved field is always initialized."], "name": "CVE-2022-49865", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49865\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49865\nhttps://lore.kernel.org/linux-cve-announce/2025050149-CVE-2022-49865-cd5b@gregkh/T"], "statement": "This patch addresses an information leak in the IPv6 address labeling subsystem (net/ipv6/addrlabel.c). When copying a struct ifaddrlblmsg into a netlink message, the __ifal_reserved field was left uninitialized, potentially leaking 1 byte of stack memory to userspace. This issue was reported by KMSAN and confirmed via syzkaller. It affects confidentiality and can be triggered by an unprivileged local user via rtnetlink sockets.", "threat_severity": "Moderate"}

{"created": "2025-06-23T09:16:30.578431+00:00", "updated": "2025-06-23T09:16:30.578495+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}