Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1140
Vulnerability from certfr_avis - Published: 2025-12-26 - Updated: 2025-12-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | Public Cloud Module | Public Cloud Module 15-SP7 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5, SP5 LTSS et SP5 LTSS Extended Security | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | Public Cloud Module | Public Cloud Module 15-SP6 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Real Time 15 SP5 et SP5 LTSS | ||
| SUSE | SUSE Real Time Module | SUSE Real Time Module 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP5, ESPOS 15 SP5 et LTSS 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 et SP4 LTSS EXTREME CORE | ||
| SUSE | SUSE Real Time Module | SUSE Real Time Module 15-SP7 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Public Cloud Module 15-SP7",
"product": {
"name": "Public Cloud Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5, SP5 LTSS et SP5 LTSS Extended Security",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP6",
"product": {
"name": "Public Cloud Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5 et SP5 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP6",
"product": {
"name": "SUSE Real Time Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5, ESPOS 15 SP5 et LTSS 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4 et SP4 LTSS EXTREME CORE",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP7",
"product": {
"name": "SUSE Real Time Module",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40156"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-40121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40121"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2025-40171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40171"
},
{
"name": "CVE-2022-50368",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50368"
},
{
"name": "CVE-2025-40139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40139"
},
{
"name": "CVE-2025-39967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39967"
},
{
"name": "CVE-2025-40107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40107"
},
{
"name": "CVE-2025-40115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40115"
},
{
"name": "CVE-2025-40198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40198"
},
{
"name": "CVE-2025-40173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40173"
},
{
"name": "CVE-2025-39944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39944"
},
{
"name": "CVE-2025-40194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40194"
},
{
"name": "CVE-2025-38436",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38436"
},
{
"name": "CVE-2025-40001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40001"
},
{
"name": "CVE-2023-53431",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53431"
},
{
"name": "CVE-2025-39859",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39859"
},
{
"name": "CVE-2025-40172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40172"
},
{
"name": "CVE-2022-50494",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50494"
},
{
"name": "CVE-2025-40188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40188"
},
{
"name": "CVE-2025-40186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40186"
},
{
"name": "CVE-2025-40086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40086"
},
{
"name": "CVE-2025-40169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40169"
},
{
"name": "CVE-2023-53369",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53369"
},
{
"name": "CVE-2023-53641",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53641"
},
{
"name": "CVE-2025-40070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40070"
},
{
"name": "CVE-2025-40047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40047"
},
{
"name": "CVE-2025-40205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40205"
},
{
"name": "CVE-2022-50253",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50253"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2022-50280",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50280"
},
{
"name": "CVE-2025-40206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40206"
},
{
"name": "CVE-2022-50578",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50578"
},
{
"name": "CVE-2025-39788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39788"
},
{
"name": "CVE-2022-50551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50551"
},
{
"name": "CVE-2025-40109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40109"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40176"
},
{
"name": "CVE-2025-40183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40183"
},
{
"name": "CVE-2025-37916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37916"
},
{
"name": "CVE-2025-38359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38359"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-40116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40116"
},
{
"name": "CVE-2025-40127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40127"
},
{
"name": "CVE-2025-40168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40168"
},
{
"name": "CVE-2025-40120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40120"
},
{
"name": "CVE-2025-40185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40185"
},
{
"name": "CVE-2025-40098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40098"
},
{
"name": "CVE-2025-40129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40129"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-40207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40207"
},
{
"name": "CVE-2025-40118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40118"
},
{
"name": "CVE-2025-40157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40157"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-40105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40105"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2022-50364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50364"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2023-53542",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53542"
},
{
"name": "CVE-2023-53229",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53229"
},
{
"name": "CVE-2025-40180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40180"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-40111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40111"
},
{
"name": "CVE-2025-40059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40059"
},
{
"name": "CVE-2023-53676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53676"
},
{
"name": "CVE-2022-50569",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50569"
},
{
"name": "CVE-2025-39822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39822"
},
{
"name": "CVE-2025-40141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40141"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2025-39980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39980"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-39819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39819"
},
{
"name": "CVE-2025-38360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38360"
},
{
"name": "CVE-2022-50545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50545"
},
{
"name": "CVE-2025-40140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40140"
},
{
"name": "CVE-2025-21710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21710"
},
{
"name": "CVE-2025-40159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40159"
},
{
"name": "CVE-2023-53597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53597"
},
{
"name": "CVE-2024-53093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53093"
},
{
"name": "CVE-2025-38361",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38361"
}
],
"initial_release_date": "2025-12-26T00:00:00",
"last_revision_date": "2025-12-26T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1140",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4506-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254506-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4517-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254517-1"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4507-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254507-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4515-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254515-1"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4505-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254505-1"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4516-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254516-1"
},
{
"published_at": "2025-12-24",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4521-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254521-1"
}
]
}
CVE-2022-50253 (GCVE-0-2022-50253)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:02 – Updated: 2026-05-11 19:15
VLAI?
EPSS
Title
bpf: make sure skb->len != 0 when redirecting to a tunneling device
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: make sure skb->len != 0 when redirecting to a tunneling device
syzkaller managed to trigger another case where skb->len == 0
when we enter __dev_queue_xmit:
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295
Call Trace:
dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
__bpf_tx_skb net/core/filter.c:2115 [inline]
__bpf_redirect_no_mac net/core/filter.c:2140 [inline]
__bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
____bpf_clone_redirect net/core/filter.c:2447 [inline]
bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
bpf_prog_48159a89cb4a9a16+0x59/0x5e
bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
__bpf_prog_run include/linux/filter.h:596 [inline]
bpf_prog_run include/linux/filter.h:603 [inline]
bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
__sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
__do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x61/0xc6
The reproducer doesn't really reproduce outside of syzkaller
environment, so I'm taking a guess here. It looks like we
do generate correct ETH_HLEN-sized packet, but we redirect
the packet to the tunneling device. Before we do so, we
__skb_pull l2 header and arrive again at skb->len == 0.
Doesn't seem like we can do anything better than having
an explicit check after __skb_pull?
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < ffbccc5fb0a67424e12f7f8da210c04c8063f797
(git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < e6a63203e5a90a39392fa1a7ffc60f5e9baf642a (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 772431f30ca040cfbf31b791d468bac6a9ca74d3 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 6d935a02658be82585ecb39aab339faa84496650 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 1b65704b8c08ae92db29f720d3b298031131da53 (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < f186303845a01cc7e991f9dc51d7e5a3cdc7aedb (git) Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 4.14.303 , ≤ 4.14.* (semver) Unaffected: 4.19.270 , ≤ 4.19.* (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.86 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.2 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffbccc5fb0a67424e12f7f8da210c04c8063f797",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "e6a63203e5a90a39392fa1a7ffc60f5e9baf642a",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "772431f30ca040cfbf31b791d468bac6a9ca74d3",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "6d935a02658be82585ecb39aab339faa84496650",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "1b65704b8c08ae92db29f720d3b298031131da53",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "f186303845a01cc7e991f9dc51d7e5a3cdc7aedb",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
},
{
"lessThan": "07ec7b502800ba9f7b8b15cb01dd6556bb41aaca",
"status": "affected",
"version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb-\u003elen == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn\u0027t really reproduce outside of syzkaller\nenvironment, so I\u0027m taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb-\u003elen == 0.\nDoesn\u0027t seem like we can do anything better than having\nan explicit check after __skb_pull?"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:15:44.305Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797"
},
{
"url": "https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"
},
{
"url": "https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3"
},
{
"url": "https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650"
},
{
"url": "https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"
},
{
"url": "https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53"
},
{
"url": "https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"
},
{
"url": "https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"
}
],
"title": "bpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50253",
"datePublished": "2025-09-15T14:02:34.849Z",
"dateReserved": "2025-09-15T13:58:00.973Z",
"dateUpdated": "2026-05-11T19:15:44.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50280 (GCVE-0-2022-50280)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-05-23 15:24
VLAI?
EPSS
Title
pnode: terminate at peers of source
Summary
In the Linux kernel, the following vulnerability has been resolved:
pnode: terminate at peers of source
The propagate_mnt() function handles mount propagation when creating
mounts and propagates the source mount tree @source_mnt to all
applicable nodes of the destination propagation mount tree headed by
@dest_mnt.
Unfortunately it contains a bug where it fails to terminate at peers of
@source_mnt when looking up copies of the source mount that become
masters for copies of the source mount tree mounted on top of slaves in
the destination propagation tree causing a NULL dereference.
Once the mechanics of the bug are understood it's easy to trigger.
Because of unprivileged user namespaces it is available to unprivileged
users.
While fixing this bug we've gotten confused multiple times due to
unclear terminology or missing concepts. So let's start this with some
clarifications:
* The terms "master" or "peer" denote a shared mount. A shared mount
belongs to a peer group.
* A peer group is a set of shared mounts that propagate to each other.
They are identified by a peer group id. The peer group id is available
in @shared_mnt->mnt_group_id.
Shared mounts within the same peer group have the same peer group id.
The peers in a peer group can be reached via @shared_mnt->mnt_share.
* The terms "slave mount" or "dependent mount" denote a mount that
receives propagation from a peer in a peer group. IOW, shared mounts
may have slave mounts and slave mounts have shared mounts as their
master. Slave mounts of a given peer in a peer group are listed on
that peers slave list available at @shared_mnt->mnt_slave_list.
* The term "master mount" denotes a mount in a peer group. IOW, it
denotes a shared mount or a peer mount in a peer group. The term
"master mount" - or "master" for short - is mostly used when talking
in the context of slave mounts that receive propagation from a master
mount. A master mount of a slave identifies the closest peer group a
slave mount receives propagation from. The master mount of a slave can
be identified via @slave_mount->mnt_master. Different slaves may point
to different masters in the same peer group.
* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.
Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to
ensure all slave mounts of a peer group are visited the
->mnt_slave_lists of all peers in a peer group have to be walked.
* Slave mounts point to a peer in the closest peer group they receive
propagation from via @slave_mnt->mnt_master (see above). Together with
these peers they form a propagation group (see below). The closest
peer group can thus be identified through the peer group id
@slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave
mount receives propagation from.
* A shared-slave mount is a slave mount to a peer group pg1 while also
a peer in another peer group pg2. IOW, a peer group may receive
propagation from another peer group.
If a peer group pg1 is a slave to another peer group pg2 then all
peers in peer group pg1 point to the same peer in peer group pg2 via
->mnt_master. IOW, all peers in peer group pg1 appear on the same
->mnt_slave_list. IOW, they cannot be slaves to different peer groups.
* A pure slave mount is a slave mount that is a slave to a peer group
but is not a peer in another peer group.
* A propagation group denotes the set of mounts consisting of a single
peer group pg1 and all slave mounts and shared-slave mounts that point
to a peer in that peer group via ->mnt_master. IOW, all slave mounts
such that @slave_mnt->mnt_master->mnt_group_id is equal to
@shared_mnt->mnt_group_id.
The concept of a propagation group makes it easier to talk about a
single propagation level in a propagation tree.
For example, in propagate_mnt() the immediate peers of @dest_mnt and
all slaves of @dest_mnt's peer group form a propagation group pr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c
(git)
Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < cc997490be65da0af8c75a6244fc80bb66c53ce0 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 7f57df69de7f05302fad584eb8e3f34de39e0311 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 2dae4211b579ce98985876a73a78466e285238ff (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < b591b2919d018ef91b4a9571edca94105bcad3df (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < c24cc476acd8bccb5af54849aac5e779d8223bf5 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < e7c9f10c44a8919cd8bbd51b228c84d0caf7d518 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 784a4f995ee24460aa72e00b085612fad57ebce5 (git) Affected: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 , < 11933cf1d91d57da9e5c53822a540bbdc2656c16 (git) Affected: fc7b1646bf29f722277bdd19551e01420ce9da8f (git) Affected: 3.14.3 , < 3.15 (semver) |
|
| Linux | Linux |
Affected:
3.15
Unaffected: 0 , < 3.15 (semver) Unaffected: 4.9.337 , ≤ 4.9.* (semver) Unaffected: 4.14.303 , ≤ 4.14.* (semver) Unaffected: 4.19.270 , ≤ 4.19.* (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.87 , ≤ 5.15.* (semver) Unaffected: 6.0.17 , ≤ 6.0.* (semver) Unaffected: 6.1.3 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "cc997490be65da0af8c75a6244fc80bb66c53ce0",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "7f57df69de7f05302fad584eb8e3f34de39e0311",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "2dae4211b579ce98985876a73a78466e285238ff",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "b591b2919d018ef91b4a9571edca94105bcad3df",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "c24cc476acd8bccb5af54849aac5e779d8223bf5",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "e7c9f10c44a8919cd8bbd51b228c84d0caf7d518",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "784a4f995ee24460aa72e00b085612fad57ebce5",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"lessThan": "11933cf1d91d57da9e5c53822a540bbdc2656c16",
"status": "affected",
"version": "f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68",
"versionType": "git"
},
{
"status": "affected",
"version": "fc7b1646bf29f722277bdd19551e01420ce9da8f",
"versionType": "git"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npnode: terminate at peers of source\n\nThe propagate_mnt() function handles mount propagation when creating\nmounts and propagates the source mount tree @source_mnt to all\napplicable nodes of the destination propagation mount tree headed by\n@dest_mnt.\n\nUnfortunately it contains a bug where it fails to terminate at peers of\n@source_mnt when looking up copies of the source mount that become\nmasters for copies of the source mount tree mounted on top of slaves in\nthe destination propagation tree causing a NULL dereference.\n\nOnce the mechanics of the bug are understood it\u0027s easy to trigger.\nBecause of unprivileged user namespaces it is available to unprivileged\nusers.\n\nWhile fixing this bug we\u0027ve gotten confused multiple times due to\nunclear terminology or missing concepts. So let\u0027s start this with some\nclarifications:\n\n* The terms \"master\" or \"peer\" denote a shared mount. A shared mount\n belongs to a peer group.\n\n* A peer group is a set of shared mounts that propagate to each other.\n They are identified by a peer group id. The peer group id is available\n in @shared_mnt-\u003emnt_group_id.\n Shared mounts within the same peer group have the same peer group id.\n The peers in a peer group can be reached via @shared_mnt-\u003emnt_share.\n\n* The terms \"slave mount\" or \"dependent mount\" denote a mount that\n receives propagation from a peer in a peer group. IOW, shared mounts\n may have slave mounts and slave mounts have shared mounts as their\n master. Slave mounts of a given peer in a peer group are listed on\n that peers slave list available at @shared_mnt-\u003emnt_slave_list.\n\n* The term \"master mount\" denotes a mount in a peer group. IOW, it\n denotes a shared mount or a peer mount in a peer group. The term\n \"master mount\" - or \"master\" for short - is mostly used when talking\n in the context of slave mounts that receive propagation from a master\n mount. A master mount of a slave identifies the closest peer group a\n slave mount receives propagation from. The master mount of a slave can\n be identified via @slave_mount-\u003emnt_master. Different slaves may point\n to different masters in the same peer group.\n\n* Multiple peers in a peer group can have non-empty -\u003emnt_slave_lists.\n Non-empty -\u003emnt_slave_lists of peers don\u0027t intersect. Consequently, to\n ensure all slave mounts of a peer group are visited the\n -\u003emnt_slave_lists of all peers in a peer group have to be walked.\n\n* Slave mounts point to a peer in the closest peer group they receive\n propagation from via @slave_mnt-\u003emnt_master (see above). Together with\n these peers they form a propagation group (see below). The closest\n peer group can thus be identified through the peer group id\n @slave_mnt-\u003emnt_master-\u003emnt_group_id of the peer/master that a slave\n mount receives propagation from.\n\n* A shared-slave mount is a slave mount to a peer group pg1 while also\n a peer in another peer group pg2. IOW, a peer group may receive\n propagation from another peer group.\n\n If a peer group pg1 is a slave to another peer group pg2 then all\n peers in peer group pg1 point to the same peer in peer group pg2 via\n -\u003emnt_master. IOW, all peers in peer group pg1 appear on the same\n -\u003emnt_slave_list. IOW, they cannot be slaves to different peer groups.\n\n* A pure slave mount is a slave mount that is a slave to a peer group\n but is not a peer in another peer group.\n\n* A propagation group denotes the set of mounts consisting of a single\n peer group pg1 and all slave mounts and shared-slave mounts that point\n to a peer in that peer group via -\u003emnt_master. IOW, all slave mounts\n such that @slave_mnt-\u003emnt_master-\u003emnt_group_id is equal to\n @shared_mnt-\u003emnt_group_id.\n\n The concept of a propagation group makes it easier to talk about a\n single propagation level in a propagation tree.\n\n For example, in propagate_mnt() the immediate peers of @dest_mnt and\n all slaves of @dest_mnt\u0027s peer group form a propagation group pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:24:06.223Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c"
},
{
"url": "https://git.kernel.org/stable/c/cc997490be65da0af8c75a6244fc80bb66c53ce0"
},
{
"url": "https://git.kernel.org/stable/c/7f57df69de7f05302fad584eb8e3f34de39e0311"
},
{
"url": "https://git.kernel.org/stable/c/2dae4211b579ce98985876a73a78466e285238ff"
},
{
"url": "https://git.kernel.org/stable/c/b591b2919d018ef91b4a9571edca94105bcad3df"
},
{
"url": "https://git.kernel.org/stable/c/c24cc476acd8bccb5af54849aac5e779d8223bf5"
},
{
"url": "https://git.kernel.org/stable/c/e7c9f10c44a8919cd8bbd51b228c84d0caf7d518"
},
{
"url": "https://git.kernel.org/stable/c/784a4f995ee24460aa72e00b085612fad57ebce5"
},
{
"url": "https://git.kernel.org/stable/c/11933cf1d91d57da9e5c53822a540bbdc2656c16"
}
],
"title": "pnode: terminate at peers of source",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50280",
"datePublished": "2025-09-15T14:21:16.891Z",
"dateReserved": "2025-09-15T13:58:00.976Z",
"dateUpdated": "2026-05-23T15:24:06.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50364 (GCVE-0-2022-50364)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-05-11 19:18
VLAI?
EPSS
Title
i2c: mux: reg: check return value after calling platform_get_resource()
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: mux: reg: check return value after calling platform_get_resource()
It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b3fdd32799d834e2626fae087906e886037350c6 , < 61df25c41b8e0d2c988ccf17139f70075a2e1ba4
(git)
Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 8212800943997fab61874550278d653cb378c60c (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f5049b3ad9446203b916ee375f30fa217735f63a (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < f7a440c89b6d460154efeb058272760e41bdfea8 (git) Affected: b3fdd32799d834e2626fae087906e886037350c6 , < 2d47b79d2bd39cc6369eccf94a06568d84c906ae (git) |
|
| Linux | Linux |
Affected:
4.3
Unaffected: 0 , < 4.3 (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.86 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.2 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:34:19.727161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:42:58.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61df25c41b8e0d2c988ccf17139f70075a2e1ba4",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "8212800943997fab61874550278d653cb378c60c",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f5049b3ad9446203b916ee375f30fa217735f63a",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "f7a440c89b6d460154efeb058272760e41bdfea8",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
},
{
"lessThan": "2d47b79d2bd39cc6369eccf94a06568d84c906ae",
"status": "affected",
"version": "b3fdd32799d834e2626fae087906e886037350c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/muxes/i2c-mux-reg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mux: reg: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check \u0027res\u0027 to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:18:07.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61df25c41b8e0d2c988ccf17139f70075a2e1ba4"
},
{
"url": "https://git.kernel.org/stable/c/8212800943997fab61874550278d653cb378c60c"
},
{
"url": "https://git.kernel.org/stable/c/f5049b3ad9446203b916ee375f30fa217735f63a"
},
{
"url": "https://git.kernel.org/stable/c/f7a440c89b6d460154efeb058272760e41bdfea8"
},
{
"url": "https://git.kernel.org/stable/c/2d47b79d2bd39cc6369eccf94a06568d84c906ae"
}
],
"title": "i2c: mux: reg: check return value after calling platform_get_resource()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50364",
"datePublished": "2025-09-17T14:56:15.753Z",
"dateReserved": "2025-09-17T14:53:06.994Z",
"dateUpdated": "2026-05-11T19:18:07.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50368 (GCVE-0-2022-50368)
Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-05-11 19:18
VLAI?
EPSS
Title
drm/msm/dsi: fix memory corruption with too many bridges
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dsi: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502668/
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8
(git)
Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < f649ed0e1b7a1545f8e27267d3c468b3cb222ece (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 21c4679af01f1027cb559330c2e7d410089b2b36 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 9f035d1fb30648fe70ee01627eb131c56d699b35 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < e83b354890a3c1d5256162f87a6cc38c47ae7f20 (git) Affected: a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e , < 2e786eb2f9cebb07e317226b60054df510b60c65 (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 4.19.264 , ≤ 4.19.* (semver) Unaffected: 5.4.223 , ≤ 5.4.* (semver) Unaffected: 5.10.153 , ≤ 5.10.* (semver) Unaffected: 5.15.77 , ≤ 5.15.* (semver) Unaffected: 6.0.7 , ≤ 6.0.* (semver) Unaffected: 6.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:35:26.283766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:42:59.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dsi/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "f649ed0e1b7a1545f8e27267d3c468b3cb222ece",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "21c4679af01f1027cb559330c2e7d410089b2b36",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "9f035d1fb30648fe70ee01627eb131c56d699b35",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "e83b354890a3c1d5256162f87a6cc38c47ae7f20",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
},
{
"lessThan": "2e786eb2f9cebb07e317226b60054df510b60c65",
"status": "affected",
"version": "a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dsi/dsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502668/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:18:12.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8"
},
{
"url": "https://git.kernel.org/stable/c/f649ed0e1b7a1545f8e27267d3c468b3cb222ece"
},
{
"url": "https://git.kernel.org/stable/c/21c4679af01f1027cb559330c2e7d410089b2b36"
},
{
"url": "https://git.kernel.org/stable/c/9f035d1fb30648fe70ee01627eb131c56d699b35"
},
{
"url": "https://git.kernel.org/stable/c/e83b354890a3c1d5256162f87a6cc38c47ae7f20"
},
{
"url": "https://git.kernel.org/stable/c/2e786eb2f9cebb07e317226b60054df510b60c65"
}
],
"title": "drm/msm/dsi: fix memory corruption with too many bridges",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50368",
"datePublished": "2025-09-17T14:56:24.102Z",
"dateReserved": "2025-09-17T14:53:06.995Z",
"dateUpdated": "2026-05-11T19:18:12.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50494 (GCVE-0-2022-50494)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2026-05-11 19:20
VLAI?
EPSS
Title
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
When CPU 0 is offline and intel_powerclamp is used to inject
idle, it generates kernel BUG:
BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687
caller is debug_smp_processor_id+0x17/0x20
CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16
check_preemption_disabled+0xdd/0xe0
debug_smp_processor_id+0x17/0x20
powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]
...
...
Here CPU 0 is the control CPU by default and changed to the current CPU,
if CPU 0 offlined. This check has to be performed under cpus_read_lock(),
hence the above warning.
Use get_cpu() instead of smp_processor_id() to avoid this BUG.
[ rjw: Subject edits ]
Severity ?
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 3e799e815097febbcb81b472285be824f5d089f9
(git)
Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 0f91f66c568b316b19cb042cf50584467b3bdff4 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 6904727db0eb62fb0c2dce1cf331c341d97ee4b7 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 5a646c38f648185ee2c62f2a19da3c6f04e27612 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 513943bf879d45005213e6f5cfb7d9e9943f589f (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 5614908434451aafbf9b24cb5247cf1d21269f76 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 6e2a347b304224b2aeb1c0ea000d1cf8a02cc592 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 418fae0700e85a498062424f8656435c32cdb200 (git) Affected: d6d71ee4a14ae602db343ec48c491851d7ec5267 , < 68b99e94a4a2db6ba9b31fe0485e057b9354a640 (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 4.9.331 , ≤ 4.9.* (semver) Unaffected: 4.14.296 , ≤ 4.14.* (semver) Unaffected: 4.19.262 , ≤ 4.19.* (semver) Unaffected: 5.4.220 , ≤ 5.4.* (semver) Unaffected: 5.10.150 , ≤ 5.10.* (semver) Unaffected: 5.15.75 , ≤ 5.15.* (semver) Unaffected: 5.19.17 , ≤ 5.19.* (semver) Unaffected: 6.0.3 , ≤ 6.0.* (semver) Unaffected: 6.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e799e815097febbcb81b472285be824f5d089f9",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "0f91f66c568b316b19cb042cf50584467b3bdff4",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "6904727db0eb62fb0c2dce1cf331c341d97ee4b7",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "5a646c38f648185ee2c62f2a19da3c6f04e27612",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "513943bf879d45005213e6f5cfb7d9e9943f589f",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "5614908434451aafbf9b24cb5247cf1d21269f76",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "6e2a347b304224b2aeb1c0ea000d1cf8a02cc592",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "418fae0700e85a498062424f8656435c32cdb200",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
},
{
"lessThan": "68b99e94a4a2db6ba9b31fe0485e057b9354a640",
"status": "affected",
"version": "d6d71ee4a14ae602db343ec48c491851d7ec5267",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_powerclamp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash\n\nWhen CPU 0 is offline and intel_powerclamp is used to inject\nidle, it generates kernel BUG:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: bash/15687\ncaller is debug_smp_processor_id+0x17/0x20\nCPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\ncheck_preemption_disabled+0xdd/0xe0\ndebug_smp_processor_id+0x17/0x20\npowerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]\n...\n...\n\nHere CPU 0 is the control CPU by default and changed to the current CPU,\nif CPU 0 offlined. This check has to be performed under cpus_read_lock(),\nhence the above warning.\n\nUse get_cpu() instead of smp_processor_id() to avoid this BUG.\n\n[ rjw: Subject edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:20:33.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e799e815097febbcb81b472285be824f5d089f9"
},
{
"url": "https://git.kernel.org/stable/c/0f91f66c568b316b19cb042cf50584467b3bdff4"
},
{
"url": "https://git.kernel.org/stable/c/6904727db0eb62fb0c2dce1cf331c341d97ee4b7"
},
{
"url": "https://git.kernel.org/stable/c/5a646c38f648185ee2c62f2a19da3c6f04e27612"
},
{
"url": "https://git.kernel.org/stable/c/513943bf879d45005213e6f5cfb7d9e9943f589f"
},
{
"url": "https://git.kernel.org/stable/c/5614908434451aafbf9b24cb5247cf1d21269f76"
},
{
"url": "https://git.kernel.org/stable/c/6e2a347b304224b2aeb1c0ea000d1cf8a02cc592"
},
{
"url": "https://git.kernel.org/stable/c/418fae0700e85a498062424f8656435c32cdb200"
},
{
"url": "https://git.kernel.org/stable/c/68b99e94a4a2db6ba9b31fe0485e057b9354a640"
}
],
"title": "thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50494",
"datePublished": "2025-10-04T15:43:46.562Z",
"dateReserved": "2025-10-04T15:39:19.464Z",
"dateUpdated": "2026-05-11T19:20:33.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50545 (GCVE-0-2022-50545)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-05-11 19:21
VLAI?
EPSS
Title
r6040: Fix kmemleak in probe and remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
r6040: Fix kmemleak in probe and remove
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
Severity ?
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3831861b4ad8fd0ad7110048eb3e155628799d2b , < a04707f4596952049da05756c27398c34d9a1d36
(git)
Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < b4448816e6a565e08236a6009c6bf48c6836cdfd (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 2ce242e1b9ad31c1f68496b3548e407a8cb2c07d (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < b0a61359026b57a287a48fbb4ba1d097023eca3e (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 3d5f83a62e8235d235534b3dc6f197d8a822c269 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 9b5b50329e2e966831a7237dd6949e7b5362a49a (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < ad2c8f25457ca9a81e7e958148cbc26600ce3071 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 5944c25c67de54e0aa53623e1e1af3bf8b16ed44 (git) Affected: 3831861b4ad8fd0ad7110048eb3e155628799d2b , < 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f (git) |
|
| Linux | Linux |
Affected:
2.6.36
Unaffected: 0 , < 2.6.36 (semver) Unaffected: 4.9.337 , ≤ 4.9.* (semver) Unaffected: 4.14.303 , ≤ 4.14.* (semver) Unaffected: 4.19.270 , ≤ 4.19.* (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.86 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.2 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a04707f4596952049da05756c27398c34d9a1d36",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b4448816e6a565e08236a6009c6bf48c6836cdfd",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "2ce242e1b9ad31c1f68496b3548e407a8cb2c07d",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "b0a61359026b57a287a48fbb4ba1d097023eca3e",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "3d5f83a62e8235d235534b3dc6f197d8a822c269",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "9b5b50329e2e966831a7237dd6949e7b5362a49a",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "ad2c8f25457ca9a81e7e958148cbc26600ce3071",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "5944c25c67de54e0aa53623e1e1af3bf8b16ed44",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
},
{
"lessThan": "7e43039a49c2da45edc1d9d7c9ede4003ab45a5f",
"status": "affected",
"version": "3831861b4ad8fd0ad7110048eb3e155628799d2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rdc/r6040.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr6040: Fix kmemleak in probe and remove\n\nThere is a memory leaks reported by kmemleak:\n\n unreferenced object 0xffff888116111000 (size 2048):\n comm \"modprobe\", pid 817, jiffies 4294759745 (age 76.502s)\n hex dump (first 32 bytes):\n 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................\n 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff815bcd82\u003e] kmalloc_trace+0x22/0x60\n [\u003cffffffff827e20ee\u003e] phy_device_create+0x4e/0x90\n [\u003cffffffff827e6072\u003e] get_phy_device+0xd2/0x220\n [\u003cffffffff827e7844\u003e] mdiobus_scan+0xa4/0x2e0\n [\u003cffffffff827e8be2\u003e] __mdiobus_register+0x482/0x8b0\n [\u003cffffffffa01f5d24\u003e] r6040_init_one+0x714/0xd2c [r6040]\n ...\n\nThe problem occurs in probe process as follows:\n r6040_init_one:\n mdiobus_register\n mdiobus_scan \u003c- alloc and register phy_device,\n the reference count of phy_device is 3\n r6040_mii_probe\n phy_connect \u003c- connect to the first phy_device,\n so the reference count of the first\n phy_device is 4, others are 3\n register_netdev \u003c- fault inject succeeded, goto error handling path\n\n // error handling path\n err_out_mdio_unregister:\n mdiobus_unregister(lp-\u003emii_bus);\n err_out_mdio:\n mdiobus_free(lp-\u003emii_bus); \u003c- the reference count of the first\n phy_device is 1, it is not released\n and other phy_devices are released\n // similarly, the remove process also has the same problem\n\nThe root cause is traced to the phy_device is not disconnected when\nremoves one r6040 device in r6040_remove_one() or on error handling path\nafter r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet\ndevice is connected to the first PHY device of mii_bus, in order to\nnotify the connected driver when the link status changes, which is the\ndefault behavior of the PHY infrastructure to handle everything.\nTherefore the phy_device should be disconnected when removes one r6040\ndevice or on error handling path.\n\nFix it by adding phy_disconnect() when removes one r6040 device or on\nerror handling path after r6040_mii probed successfully."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:21:29.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a04707f4596952049da05756c27398c34d9a1d36"
},
{
"url": "https://git.kernel.org/stable/c/b4448816e6a565e08236a6009c6bf48c6836cdfd"
},
{
"url": "https://git.kernel.org/stable/c/2ce242e1b9ad31c1f68496b3548e407a8cb2c07d"
},
{
"url": "https://git.kernel.org/stable/c/b0a61359026b57a287a48fbb4ba1d097023eca3e"
},
{
"url": "https://git.kernel.org/stable/c/3d5f83a62e8235d235534b3dc6f197d8a822c269"
},
{
"url": "https://git.kernel.org/stable/c/9b5b50329e2e966831a7237dd6949e7b5362a49a"
},
{
"url": "https://git.kernel.org/stable/c/ad2c8f25457ca9a81e7e958148cbc26600ce3071"
},
{
"url": "https://git.kernel.org/stable/c/5944c25c67de54e0aa53623e1e1af3bf8b16ed44"
},
{
"url": "https://git.kernel.org/stable/c/7e43039a49c2da45edc1d9d7c9ede4003ab45a5f"
}
],
"title": "r6040: Fix kmemleak in probe and remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50545",
"datePublished": "2025-10-07T15:21:09.288Z",
"dateReserved": "2025-10-07T15:15:38.667Z",
"dateUpdated": "2026-05-11T19:21:29.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50551 (GCVE-0-2022-50551)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-05-11 19:21
VLAI?
EPSS
Title
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? pr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
46d703a775394e4724509ff55cdda41d228c028c , < 1db036d13e10809943c2dce553e2fa7fc9c6cd80
(git)
Affected: 46d703a775394e4724509ff55cdda41d228c028c , < bc45aa1911bf699b9905f12414e3c1879d6b784f (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 4c8fc44c44b97854623c56363c359f711fc0b887 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 9d2f70fa2c7cc6c73a420ff15682454782d3d6f6 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 5b06a8a25eba07628313aa3c5496522eff97be53 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 87792567d9ed93fd336d2c3b8d7870f44e141e6d (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 0b12d2aa264bac35bff9b5399bb162262b2b8949 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 579c9b9838e8a73f6e93ddece07972c241514dcc (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < ffb589963df103caaf062081a32db0b9e1798660 (git) Affected: 46d703a775394e4724509ff55cdda41d228c028c , < 81d17f6f3331f03c8eafdacea68ab773426c1e3c (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 4.9.337 , ≤ 4.9.* (semver) Unaffected: 4.14.303 , ≤ 4.14.* (semver) Unaffected: 4.14.305 , ≤ 4.14.* (semver) Unaffected: 4.19.270 , ≤ 4.19.* (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.86 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.2 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1db036d13e10809943c2dce553e2fa7fc9c6cd80",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "bc45aa1911bf699b9905f12414e3c1879d6b784f",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "4c8fc44c44b97854623c56363c359f711fc0b887",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "9d2f70fa2c7cc6c73a420ff15682454782d3d6f6",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "5b06a8a25eba07628313aa3c5496522eff97be53",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "87792567d9ed93fd336d2c3b8d7870f44e141e6d",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "0b12d2aa264bac35bff9b5399bb162262b2b8949",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "579c9b9838e8a73f6e93ddece07972c241514dcc",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "ffb589963df103caaf062081a32db0b9e1798660",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
},
{
"lessThan": "81d17f6f3331f03c8eafdacea68ab773426c1e3c",
"status": "affected",
"version": "46d703a775394e4724509ff55cdda41d228c028c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()\n\nThis patch fixes a shift-out-of-bounds in brcmfmac that occurs in\nBIT(chiprev) when a \u0027chiprev\u0027 provided by the device is too large.\nIt should also not be equal to or greater than BITS_PER_TYPE(u32)\nas we do bitwise AND with a u32 variable and BIT(chiprev). The patch\nadds a check that makes the function return NULL if that is the case.\nNote that the NULL case is later handled by the bus-specific caller,\nbrcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.\n\nFound by a modified version of syzkaller.\n\nUBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c\nshift exponent 151055786 is too large for 64-bit type \u0027long unsigned int\u0027\nCPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb\n ? lock_chain_count+0x20/0x20\n brcmf_fw_alloc_request.cold+0x19/0x3ea\n ? brcmf_fw_get_firmwares+0x250/0x250\n ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0\n brcmf_usb_get_fwname+0x114/0x1a0\n ? brcmf_usb_reset_resume+0x120/0x120\n ? number+0x6c4/0x9a0\n brcmf_c_process_clm_blob+0x168/0x590\n ? put_dec+0x90/0x90\n ? enable_ptr_key_workfn+0x20/0x20\n ? brcmf_common_pd_remove+0x50/0x50\n ? rcu_read_lock_sched_held+0xa1/0xd0\n brcmf_c_preinit_dcmds+0x673/0xc40\n ? brcmf_c_set_joinpref_default+0x100/0x100\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lock_acquire+0x19d/0x4e0\n ? find_held_lock+0x2d/0x110\n ? brcmf_usb_deq+0x1cc/0x260\n ? mark_held_locks+0x9f/0xe0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n ? trace_hardirqs_on+0x1c/0x120\n ? brcmf_usb_deq+0x1a7/0x260\n ? brcmf_usb_rx_fill_all+0x5a/0xf0\n brcmf_attach+0x246/0xd40\n ? wiphy_new_nm+0x1476/0x1d50\n ? kmemdup+0x30/0x40\n brcmf_usb_probe+0x12de/0x1690\n ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n ? usb_match_id.part.0+0x88/0xc0\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __mutex_unlock_slowpath+0xe7/0x660\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_set_configuration+0x984/0x1770\n ? kernfs_create_link+0x175/0x230\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_new_device.cold+0x463/0xf66\n ? hub_disconnect+0x400/0x400\n ? _raw_spin_unlock_irq+0x24/0x30\n hub_event+0x10d5/0x3330\n ? hub_port_debounce+0x280/0x280\n ? __lock_acquire+0x1671/0x5790\n ? wq_calc_node_cpumask+0x170/0x2a0\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x873/0x13e0\n ? lock_release+0x640/0x640\n ? pwq_dec_nr_in_flight+0x320/0x320\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x8b/0xd10\n ? __kthread_parkme+0xd9/0x1d0\n ? pr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:21:36.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1db036d13e10809943c2dce553e2fa7fc9c6cd80"
},
{
"url": "https://git.kernel.org/stable/c/bc45aa1911bf699b9905f12414e3c1879d6b784f"
},
{
"url": "https://git.kernel.org/stable/c/4c8fc44c44b97854623c56363c359f711fc0b887"
},
{
"url": "https://git.kernel.org/stable/c/9d2f70fa2c7cc6c73a420ff15682454782d3d6f6"
},
{
"url": "https://git.kernel.org/stable/c/5b06a8a25eba07628313aa3c5496522eff97be53"
},
{
"url": "https://git.kernel.org/stable/c/87792567d9ed93fd336d2c3b8d7870f44e141e6d"
},
{
"url": "https://git.kernel.org/stable/c/0b12d2aa264bac35bff9b5399bb162262b2b8949"
},
{
"url": "https://git.kernel.org/stable/c/579c9b9838e8a73f6e93ddece07972c241514dcc"
},
{
"url": "https://git.kernel.org/stable/c/ffb589963df103caaf062081a32db0b9e1798660"
},
{
"url": "https://git.kernel.org/stable/c/81d17f6f3331f03c8eafdacea68ab773426c1e3c"
}
],
"title": "wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50551",
"datePublished": "2025-10-07T15:21:13.391Z",
"dateReserved": "2025-10-07T15:15:38.669Z",
"dateUpdated": "2026-05-11T19:21:36.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50569 (GCVE-0-2022-50569)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2026-05-11 19:21
VLAI?
EPSS
Title
xfrm: Update ipcomp_scratches with NULL when freed
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Update ipcomp_scratches with NULL when freed
Currently if ipcomp_alloc_scratches() fails to allocate memory
ipcomp_scratches holds obsolete address. So when we try to free the
percpu scratches using ipcomp_free_scratches() it tries to vfree non
existent vm area. Described below:
static void * __percpu *ipcomp_alloc_scratches(void)
{
...
scratches = alloc_percpu(void *);
if (!scratches)
return NULL;
ipcomp_scratches does not know about this allocation failure.
Therefore holding the old obsolete address.
...
}
So when we free,
static void ipcomp_free_scratches(void)
{
...
scratches = ipcomp_scratches;
Assigning obsolete address from ipcomp_scratches
if (!scratches)
return;
for_each_possible_cpu(i)
vfree(*per_cpu_ptr(scratches, i));
Trying to free non existent page, causing warning: trying to vfree
existent vm area.
...
}
Fix this breakage by updating ipcomp_scrtches with NULL when scratches
is freed
Severity ?
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < debca61df6bc2f65e020656c9c5b878d6b38d30f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a39f456d62810c0efb43cead22f98d95b53e4b1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e8abde895b3ac6a368cbdb372e8800c49e73a28 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18373ed500f7cd53e24d9b0bd0f1c09d78dba87e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < be81c44242b20fc3bdcc73480ef8aaee56f5d0b6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 03155680191ef0f004b1d6a5714c5b8cd271ab61 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3bdba4440d82e0da2b1bfc35d3836c8a8e00677 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c19945ce8095d065df550e7fe350cd5cc40c6e6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a04d2fc700f717104bfb95b0f6694e448a4537f (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 4.9.331 , ≤ 4.9.* (semver) Unaffected: 4.14.296 , ≤ 4.14.* (semver) Unaffected: 4.19.262 , ≤ 4.19.* (semver) Unaffected: 5.4.220 , ≤ 5.4.* (semver) Unaffected: 5.10.150 , ≤ 5.10.* (semver) Unaffected: 5.15.75 , ≤ 5.15.* (semver) Unaffected: 5.19.17 , ≤ 5.19.* (semver) Unaffected: 6.0.3 , ≤ 6.0.* (semver) Unaffected: 6.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_ipcomp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "debca61df6bc2f65e020656c9c5b878d6b38d30f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a39f456d62810c0efb43cead22f98d95b53e4b1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e8abde895b3ac6a368cbdb372e8800c49e73a28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18373ed500f7cd53e24d9b0bd0f1c09d78dba87e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be81c44242b20fc3bdcc73480ef8aaee56f5d0b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "03155680191ef0f004b1d6a5714c5b8cd271ab61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3bdba4440d82e0da2b1bfc35d3836c8a8e00677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c19945ce8095d065df550e7fe350cd5cc40c6e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a04d2fc700f717104bfb95b0f6694e448a4537f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_ipcomp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Update ipcomp_scratches with NULL when freed\n\nCurrently if ipcomp_alloc_scratches() fails to allocate memory\nipcomp_scratches holds obsolete address. So when we try to free the\npercpu scratches using ipcomp_free_scratches() it tries to vfree non\nexistent vm area. Described below:\n\nstatic void * __percpu *ipcomp_alloc_scratches(void)\n{\n ...\n scratches = alloc_percpu(void *);\n if (!scratches)\n return NULL;\nipcomp_scratches does not know about this allocation failure.\nTherefore holding the old obsolete address.\n ...\n}\n\nSo when we free,\n\nstatic void ipcomp_free_scratches(void)\n{\n ...\n scratches = ipcomp_scratches;\nAssigning obsolete address from ipcomp_scratches\n\n if (!scratches)\n return;\n\n for_each_possible_cpu(i)\n vfree(*per_cpu_ptr(scratches, i));\nTrying to free non existent page, causing warning: trying to vfree\nexistent vm area.\n ...\n}\n\nFix this breakage by updating ipcomp_scrtches with NULL when scratches\nis freed"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:21:57.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/debca61df6bc2f65e020656c9c5b878d6b38d30f"
},
{
"url": "https://git.kernel.org/stable/c/a39f456d62810c0efb43cead22f98d95b53e4b1a"
},
{
"url": "https://git.kernel.org/stable/c/1e8abde895b3ac6a368cbdb372e8800c49e73a28"
},
{
"url": "https://git.kernel.org/stable/c/18373ed500f7cd53e24d9b0bd0f1c09d78dba87e"
},
{
"url": "https://git.kernel.org/stable/c/be81c44242b20fc3bdcc73480ef8aaee56f5d0b6"
},
{
"url": "https://git.kernel.org/stable/c/03155680191ef0f004b1d6a5714c5b8cd271ab61"
},
{
"url": "https://git.kernel.org/stable/c/f3bdba4440d82e0da2b1bfc35d3836c8a8e00677"
},
{
"url": "https://git.kernel.org/stable/c/2c19945ce8095d065df550e7fe350cd5cc40c6e6"
},
{
"url": "https://git.kernel.org/stable/c/8a04d2fc700f717104bfb95b0f6694e448a4537f"
}
],
"title": "xfrm: Update ipcomp_scratches with NULL when freed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50569",
"datePublished": "2025-10-22T13:23:25.810Z",
"dateReserved": "2025-10-22T13:20:23.760Z",
"dateUpdated": "2026-05-11T19:21:57.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50578 (GCVE-0-2022-50578)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2026-05-11 19:22
VLAI?
EPSS
Title
class: fix possible memory leak in __class_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
class: fix possible memory leak in __class_register()
If class_add_groups() returns error, the 'cp->subsys' need be
unregister, and the 'cp' need be freed.
We can not call kset_unregister() here, because the 'cls' will
be freed in callback function class_release() and it's also
freed in caller's error path, it will cause double free.
So fix this by calling kobject_del() and kfree_const(name) to
cleanup kobject. Besides, call kfree() to free the 'cp'.
Fault injection test can trigger this:
unreferenced object 0xffff888102fa8190 (size 8):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 8 bytes):
70 6b 74 63 64 76 64 00 pktcdvd.
backtrace:
[<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320
[<000000005e4d70bc>] kstrdup+0x3a/0x70
[<00000000c2e5e85a>] kstrdup_const+0x68/0x80
[<000000000049a8c7>] kvasprintf_const+0x10b/0x190
[<0000000029123163>] kobject_set_name_vargs+0x56/0x150
[<00000000747219c9>] kobject_set_name+0xab/0xe0
[<0000000005f1ea4e>] __class_register+0x15c/0x49a
unreferenced object 0xffff888037274000 (size 1024):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 32 bytes):
00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
backtrace:
[<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0
[<00000000ecf3dd95>] __class_register+0x86/0x49a
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ced6473e7486702f530a49f886b73195e4977734 , < 4efa5443817c1b6de22d401aeca5b2481e835f8c
(git)
Affected: ced6473e7486702f530a49f886b73195e4977734 , < 3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 3e0efc3f3f5e5c73996782f8db69963e501bb878 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 18a7200646958cf8e1b8a933de08122fc50676cd (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < e764ad5918a099ebeb909ccff83893a714e497e1 (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < abaedb68a769e6bf36836b55a2f49b531c5f3f7b (git) Affected: ced6473e7486702f530a49f886b73195e4977734 , < 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 4.14.303 , ≤ 4.14.* (semver) Unaffected: 4.19.270 , ≤ 4.19.* (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.86 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.2 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4efa5443817c1b6de22d401aeca5b2481e835f8c",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "3e0efc3f3f5e5c73996782f8db69963e501bb878",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "18a7200646958cf8e1b8a933de08122fc50676cd",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "e764ad5918a099ebeb909ccff83893a714e497e1",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "abaedb68a769e6bf36836b55a2f49b531c5f3f7b",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
},
{
"lessThan": "8c3e8a6bdb5253b97ad532570f8b5db5f7a06407",
"status": "affected",
"version": "ced6473e7486702f530a49f886b73195e4977734",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix possible memory leak in __class_register()\n\nIf class_add_groups() returns error, the \u0027cp-\u003esubsys\u0027 need be\nunregister, and the \u0027cp\u0027 need be freed.\n\nWe can not call kset_unregister() here, because the \u0027cls\u0027 will\nbe freed in callback function class_release() and it\u0027s also\nfreed in caller\u0027s error path, it will cause double free.\n\nSo fix this by calling kobject_del() and kfree_const(name) to\ncleanup kobject. Besides, call kfree() to free the \u0027cp\u0027.\n\nFault injection test can trigger this:\n\nunreferenced object 0xffff888102fa8190 (size 8):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 8 bytes):\n 70 6b 74 63 64 76 64 00 pktcdvd.\n backtrace:\n [\u003c00000000e7c7703d\u003e] __kmalloc_track_caller+0x1ae/0x320\n [\u003c000000005e4d70bc\u003e] kstrdup+0x3a/0x70\n [\u003c00000000c2e5e85a\u003e] kstrdup_const+0x68/0x80\n [\u003c000000000049a8c7\u003e] kvasprintf_const+0x10b/0x190\n [\u003c0000000029123163\u003e] kobject_set_name_vargs+0x56/0x150\n [\u003c00000000747219c9\u003e] kobject_set_name+0xab/0xe0\n [\u003c0000000005f1ea4e\u003e] __class_register+0x15c/0x49a\n\nunreferenced object 0xffff888037274000 (size 1024):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 32 bytes):\n 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@\u00277.....@\u00277....\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n backtrace:\n [\u003c00000000151f9600\u003e] kmem_cache_alloc_trace+0x17c/0x2f0\n [\u003c00000000ecf3dd95\u003e] __class_register+0x86/0x49a"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:22:08.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4efa5443817c1b6de22d401aeca5b2481e835f8c"
},
{
"url": "https://git.kernel.org/stable/c/3bb9c92c27624ad076419a70f2b1a30cd1f8bbbd"
},
{
"url": "https://git.kernel.org/stable/c/3e0efc3f3f5e5c73996782f8db69963e501bb878"
},
{
"url": "https://git.kernel.org/stable/c/18a7200646958cf8e1b8a933de08122fc50676cd"
},
{
"url": "https://git.kernel.org/stable/c/417ef049e3fd3b0d2593c1d5ffa3d0d5d0a018a7"
},
{
"url": "https://git.kernel.org/stable/c/e764ad5918a099ebeb909ccff83893a714e497e1"
},
{
"url": "https://git.kernel.org/stable/c/abaedb68a769e6bf36836b55a2f49b531c5f3f7b"
},
{
"url": "https://git.kernel.org/stable/c/8c3e8a6bdb5253b97ad532570f8b5db5f7a06407"
}
],
"title": "class: fix possible memory leak in __class_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50578",
"datePublished": "2025-10-22T13:23:31.565Z",
"dateReserved": "2025-10-22T13:20:23.761Z",
"dateUpdated": "2026-05-11T19:22:08.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53229 (GCVE-0-2023-53229)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:22 – Updated: 2026-05-11 19:40
VLAI?
EPSS
Title
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
Avoid potential data corruption issues caused by uninitialized driver
private data structures.
Severity ?
5.5 (Medium)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6a9d1b91f34df1935bc0ad98114801a44db0f98c , < db8d32d6b25fdb75c387daee496b96209d477780
(git)
Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 7e68d7c640d41d8a371b8f6c2d2682ea437cbe21 (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < a3593082e0dadf87f17ea4ca9fa0210caaa2aebf (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 3fe20515449a80a177526d2ecd13b43f6ee41aeb (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 30c5a016a37a668c1c07442cf94de6e99ea7417a (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 022c8320d9eb7394538bd716fa1a07a5ed92621b (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 73752a39e2a6e38eee3ba90ece2ded598ea88006 (git) Affected: 6a9d1b91f34df1935bc0ad98114801a44db0f98c , < 12b220a6171faf10638ab683a975cadcf1a352d6 (git) |
|
| Linux | Linux |
Affected:
3.14
Unaffected: 0 , < 3.14 (semver) Unaffected: 4.14.313 , ≤ 4.14.* (semver) Unaffected: 4.19.281 , ≤ 4.19.* (semver) Unaffected: 5.4.241 , ≤ 5.4.* (semver) Unaffected: 5.10.178 , ≤ 5.10.* (semver) Unaffected: 5.15.107 , ≤ 5.15.* (semver) Unaffected: 6.1.24 , ≤ 6.1.* (semver) Unaffected: 6.2.11 , ≤ 6.2.* (semver) Unaffected: 6.3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:54:52.961706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:49.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db8d32d6b25fdb75c387daee496b96209d477780",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "7e68d7c640d41d8a371b8f6c2d2682ea437cbe21",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "a3593082e0dadf87f17ea4ca9fa0210caaa2aebf",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "3fe20515449a80a177526d2ecd13b43f6ee41aeb",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "30c5a016a37a668c1c07442cf94de6e99ea7417a",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "022c8320d9eb7394538bd716fa1a07a5ed92621b",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "73752a39e2a6e38eee3ba90ece2ded598ea88006",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
},
{
"lessThan": "12b220a6171faf10638ab683a975cadcf1a352d6",
"status": "affected",
"version": "6a9d1b91f34df1935bc0ad98114801a44db0f98c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta\n\nAvoid potential data corruption issues caused by uninitialized driver\nprivate data structures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:40:44.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db8d32d6b25fdb75c387daee496b96209d477780"
},
{
"url": "https://git.kernel.org/stable/c/7e68d7c640d41d8a371b8f6c2d2682ea437cbe21"
},
{
"url": "https://git.kernel.org/stable/c/a3593082e0dadf87f17ea4ca9fa0210caaa2aebf"
},
{
"url": "https://git.kernel.org/stable/c/3fe20515449a80a177526d2ecd13b43f6ee41aeb"
},
{
"url": "https://git.kernel.org/stable/c/30c5a016a37a668c1c07442cf94de6e99ea7417a"
},
{
"url": "https://git.kernel.org/stable/c/022c8320d9eb7394538bd716fa1a07a5ed92621b"
},
{
"url": "https://git.kernel.org/stable/c/73752a39e2a6e38eee3ba90ece2ded598ea88006"
},
{
"url": "https://git.kernel.org/stable/c/12b220a6171faf10638ab683a975cadcf1a352d6"
}
],
"title": "wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53229",
"datePublished": "2025-09-15T14:22:01.784Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2026-05-11T19:40:44.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…