CVE-2022-49766: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49766 is a vulnerability discovered in the Linux kernel related to netlink bounds-checking. The vulnerability was published on May 1, 2025, and specifically involves the struct nlmsgerr creation process in the netlink subsystem. The issue was identified to prevent future runtime warnings in the memcpy operation across composite flexible array structs (NVD, Wiz).

The vulnerability involves a field-spanning write issue in the netlink subsystem where memcpy performs a size 32 write operation on a single field '&errmsg->msg' at net/netlink/afnetlink.c:2447 with size 16. The fix involves switching from __nlmsg_put to nlmsg_put() and implementing proper bounds checking for memcpy operations across composite flexible array structs. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects the Linux kernel's netlink messaging system. While specific impact details are limited, it primarily relates to memory operations and could potentially lead to memory corruption issues if exploited (Wiz).

The issue has been resolved in various Linux kernel versions. Debian has released fixes in version 6.1.129-1 for bookworm and 6.12.22-1 for trixie. Red Hat has deferred fixes for Enterprise Linux 9, while versions 6, 7, and 8 are out of support scope. Users are advised to upgrade to the patched versions where available (Debian Tracker, Red Hat).