CVE-2022-49344: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49344 is a data race vulnerability discovered in the Linux kernel's AF_UNIX implementation. The issue specifically affects the unix_dgram_peer_wake_me() function, where unix_dgram_poll() calls unix_dgram_peer_wake_me() without proper lock handling when checking the receive queue status. The vulnerability was disclosed on February 26, 2025, and affects multiple versions of the Linux kernel (NVD).

The vulnerability stems from a race condition in the AF_UNIX socket implementation where unix_dgram_poll() calls unix_dgram_peer_wake_me() without holding the 'other' lock while checking if its receive queue is full. The fix involves replacing unix_recvq_full() with unix_recvq_full_lockless() to prevent the race condition that KCSAN (Kernel Concurrency Sanitizer) would otherwise detect. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a data race condition in the Linux kernel's AF_UNIX socket implementation, potentially affecting system stability and availability. The CVSS scoring indicates that while the vulnerability requires local access and is complex to exploit, it could result in high availability impact to the affected system (NVD).

The vulnerability has been patched in the Linux kernel through a fix that replaces unix_recvq_full() with unix_recvq_full_lockless() in the affected code. Multiple patch commits have been released to address this issue across different kernel versions (Kernel Patch).