CVE-2022-49602: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49602 is a data race vulnerability discovered in the Linux kernel's IP networking subsystem. The vulnerability specifically affects the sysctl_fwmark_reflect functionality, where concurrent access to this variable could lead to race conditions. This issue was disclosed and published to the CVE List on February 26, 2025, and received a CVSS v3.1 base score of 4.7 (Medium) (NVD).

The vulnerability stems from improper synchronization when reading the sysctl_fwmark_reflect variable in the Linux kernel's IP networking code. The issue occurs because the variable can be changed concurrently while being read, without proper atomic access guarantees. The fix involves adding READ_ONCE() to the reader to ensure atomic access to the variable. This vulnerability is classified as CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) (NVD, Kernel Patch).

The vulnerability has been assessed with a CVSS v3.1 base score of 4.7 (Medium), with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates that while the vulnerability requires local access and is complex to exploit, it could potentially lead to high availability impacts on the affected system (NVD).

The vulnerability has been patched in the Linux kernel by adding READ_ONCE() to the reader of sysctl_fwmark_reflect. The fix has been backported to multiple kernel versions and is available through various distribution-specific updates. Ubuntu has implemented fixes for several kernel versions, including 4.15.0-1129.134 for linux-kvm and 4.15.0-1108.119 for linux-oracle (Ubuntu, Kernel Patch).