CVE-2022-49669

CVE-2022-49669 is a use-after-free vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, arising from a race condition on unaccepted MPTCP sockets. When the listener socket owning a relevant request is closed, it frees the unaccepted subflows, which can lead to later deletion of paired MPTCP sockets. If the MPTCP socket's worker executes during this interval, it may access the freed msk->first field, resulting in a use-after-free condition. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements (AV:L/AC:L/PR:L/UI:N/S:U). Successful exploitation could grant high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes via the use-after-free access.

Mitigation patches have been applied in the Linux kernel stable trees, as documented in kernel commit 6aeed9045071f2252ff4e98fc13d1e304f33e5b0 and a8a3e95c74e48c2c9b07b81fafda9122993f2e12. These commits address the issue by explicitly traversing the listener socket's accept queue at close time and performing cleanup on pending MPTCP sockets (msk). The fix handles tricky locking by acquiring the msk socket lock while still holding the subflow socket lock.