Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50004

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
18/06/2025
Last modified:
14/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: policy: fix metadata dst-&gt;dev xmit null pointer dereference<br /> <br /> When we try to transmit an skb with metadata_dst attached (i.e. dst-&gt;dev<br /> == NULL) through xfrm interface we can hit a null pointer dereference[1]<br /> in xfrmi_xmit2() -&gt; xfrm_lookup_with_ifid() due to the check for a<br /> loopback skb device when there&amp;#39;s no policy which dereferences dst-&gt;dev<br /> unconditionally. Not having dst-&gt;dev can be interepreted as it not being<br /> a loopback device, so just add a check for a null dst_orig-&gt;dev.<br /> <br /> With this fix xfrm interface&amp;#39;s Tx error counters go up as usual.<br /> <br /> [1] net-next calltrace captured via netconsole:<br /> BUG: kernel NULL pointer dereference, address: 00000000000000c0<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014<br /> RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60<br /> Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02<br /> RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80<br /> RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000<br /> R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880<br /> R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000<br /> FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0<br /> Call Trace:<br /> <br /> xfrmi_xmit+0xde/0x460<br /> ? tcf_bpf_act+0x13d/0x2a0<br /> dev_hard_start_xmit+0x72/0x1e0<br /> __dev_queue_xmit+0x251/0xd30<br /> ip_finish_output2+0x140/0x550<br /> ip_push_pending_frames+0x56/0x80<br /> raw_sendmsg+0x663/0x10a0<br /> ? try_charge_memcg+0x3fd/0x7a0<br /> ? __mod_memcg_lruvec_state+0x93/0x110<br /> ? sock_sendmsg+0x30/0x40<br /> sock_sendmsg+0x30/0x40<br /> __sys_sendto+0xeb/0x130<br /> ? handle_mm_fault+0xae/0x280<br /> ? do_user_addr_fault+0x1e7/0x680<br /> ? kvm_read_and_reset_apf_flags+0x3b/0x50<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x34/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7ff35cac1366<br /> Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89<br /> RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366<br /> RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003<br /> RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040<br /> R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001<br /> <br /> Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]<br /> CR2: 00000000000000c0

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.118 (including) 5.10.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.19.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools