CVE-2022-50004

{"id": "CVE-2022-50004", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:28.287", "references": [{"url": "https://git.kernel.org/stable/c/17ecd4a4db4783392edd4944f5e8268205083f70", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2761612bcde9776dd93ce60ce55ef0b7c7329153", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96f2758a6d028d1ac08616de9c3c7ff2a122ecf1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e26d676c1f9f335510780b566a10475c47ce03d0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix metadata dst->dev xmit null pointer dereference\n\nWhen we try to transmit an skb with metadata_dst attached (i.e. dst->dev\n== NULL) through xfrm interface we can hit a null pointer dereference[1]\nin xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a\nloopback skb device when there's no policy which dereferences dst->dev\nunconditionally. Not having dst->dev can be interepreted as it not being\na loopback device, so just add a check for a null dst_orig->dev.\n\nWith this fix xfrm interface's Tx error counters go up as usual.\n\n[1] net-next calltrace captured via netconsole:\n BUG: kernel NULL pointer dereference, address: 00000000000000c0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014\n RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60\n Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 <f6> 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02\n RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80\n RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000\n R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0\n Call Trace:\n <TASK>\n xfrmi_xmit+0xde/0x460\n ? tcf_bpf_act+0x13d/0x2a0\n dev_hard_start_xmit+0x72/0x1e0\n __dev_queue_xmit+0x251/0xd30\n ip_finish_output2+0x140/0x550\n ip_push_pending_frames+0x56/0x80\n raw_sendmsg+0x663/0x10a0\n ? try_charge_memcg+0x3fd/0x7a0\n ? __mod_memcg_lruvec_state+0x93/0x110\n ? sock_sendmsg+0x30/0x40\n sock_sendmsg+0x30/0x40\n __sys_sendto+0xeb/0x130\n ? handle_mm_fault+0xae/0x280\n ? do_user_addr_fault+0x1e7/0x680\n ? kvm_read_and_reset_apf_flags+0x3b/0x50\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x34/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7ff35cac1366\n Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89\n RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366\n RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003\n RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\n R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001\n </TASK>\n Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]\n CR2: 00000000000000c0"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xfrm: pol\u00edtica: corregir la desreferencia de puntero nulo de metadatos dst-&gt;dev xmit Cuando intentamos transmitir un skb con metadata_dst adjunto (es decir, dst-&gt;dev == NULL) a trav\u00e9s de la interfaz xfrm, podemos alcanzar una desreferencia de puntero nulo[1] en xfrmi_xmit2() -&gt; xfrm_lookup_with_ifid() debido a la comprobaci\u00f3n de un dispositivo skb de bucle invertido cuando no hay ninguna pol\u00edtica que desreferencia dst-&gt;dev incondicionalmente. No tener dst-&gt;dev puede interpretarse como que no es un dispositivo de bucle invertido, as\u00ed que simplemente agregue una comprobaci\u00f3n para un dst_orig-&gt;dev nulo. Con esta correcci\u00f3n, los contadores de errores de Tx de la interfaz xfrm suben como de costumbre. [1] net-next calltrace capturado a trav\u00e9s de netconsole: ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 00000000000000c0 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 7231 Comm: ping Kdump: cargado No contaminado 5.19.0+ #24 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60 C\u00f3digo: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd ser 0f 85 ser 01 00 00 41 ser ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 RAX: 000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 RDX: 00000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 R13: 000000000000000 R14: 00000000ffffffff R15: 000000000000000 FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 Seguimiento de llamadas: xfrmi_xmit+0xde/0x460 ? tcf_bpf_act+0x13d/0x2a0 dev_hard_start_xmit+0x72/0x1e0 __dev_queue_xmit+0x251/0xd30 ip_finish_output2+0x140/0x550 ip_push_pending_frames+0x56/0x80 raw_sendmsg+0x663/0x10a0 ? try_charge_memcg+0x3fd/0x7a0 ? __mod_memcg_lruvec_state+0x93/0x110 ? sock_sendmsg+0x30/0x40 sock_sendmsg+0x30/0x40 __sys_sendto+0xeb/0x130 ? manejar_mm_fault+0xae/0x280 ? hacer_direcci\u00f3n_usuario_fault+0x1e7/0x680 ? kvm_read_and_reset_apf_flags+0x3b/0x50 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff35cac1366 C\u00f3digo: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 &lt;48&gt; 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 M\u00f3dulos vinculados en: netconsole veth br_netfilter bridge bonding virtio_net [\u00faltima descarga: netconsole] CR2: 00000000000000c0"}], "lastModified": "2025-11-14T16:00:28.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "957CAAB5-8EC5-4CB9-8809-C1CB12F7F446", "versionEndExcluding": "5.10.140", "versionStartIncluding": "5.10.118"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D84F1BC-C9DF-4483-81B0-7377D6BFAEE6", "versionEndExcluding": "5.15.64", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89E99903-E16D-475D-954B-2BAC46C98262", "versionEndExcluding": "5.19.6", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}