{"id":"CVE-2022-49838","summary":"sctp: clear out_curr if all frag chunks of current msg are pruned","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: clear out_curr if all frag chunks of current msg are pruned\n\nA crash was reported by Zhen Chen:\n\n  list_del corruption, ffffa035ddf01c18-\u003enext is NULL\n  WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0\n  RIP: 0010:__list_del_entry_valid+0x59/0xe0\n  Call Trace:\n   sctp_sched_dequeue_common+0x17/0x70 [sctp]\n   sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]\n   sctp_outq_flush_data+0x85/0x360 [sctp]\n   sctp_outq_uncork+0x77/0xa0 [sctp]\n   sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]\n   sctp_side_effects+0x37/0xe0 [sctp]\n   sctp_do_sm+0xd0/0x230 [sctp]\n   sctp_primitive_SEND+0x2f/0x40 [sctp]\n   sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]\n   sctp_sendmsg+0x3d5/0x440 [sctp]\n   sock_sendmsg+0x5b/0x70\n\nand in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream\nout_curr outq while this outq was empty.\n\nNormally stream-\u003eout_curr must be set to NULL once all frag chunks of\ncurrent msg are dequeued, as we can see in sctp_sched_dequeue_done().\nHowever, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,\nsctp_sched_dequeue_done() is not called to do this.\n\nThis patch is to fix it by simply setting out_curr to NULL when the\nlast frag chunk of current msg is dequeued from out_curr stream in\nsctp_prsctp_prune_unsent().","modified":"2026-05-18T05:55:18.208302019Z","published":"2025-05-01T14:09:54.816Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49838.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2ea600b598dd3e061854dd4dd5b4c815397dfcea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3eff34e01062ec08fbb45ce2baaaa644550be821"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e27458b18b35caee4b27b37a4a9c503b93cae5cc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49838.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49838"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5bbbbe32a43199c2b9ea5ea66fab6241c64beb51"},{"fixed":"e27458b18b35caee4b27b37a4a9c503b93cae5cc"},{"fixed":"2ea600b598dd3e061854dd4dd5b4c815397dfcea"},{"fixed":"3eff34e01062ec08fbb45ce2baaaa644550be821"},{"fixed":"2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49838.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"5.10.156"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49838.json"}}],"schema_version":"1.7.5"}