CVE-2022-50004

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50004
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50004.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50004
Downstream
Published
2025-06-18T11:01:09Z
Modified
2025-10-15T01:51:21.761984Z
Summary
xfrm: policy: fix metadata dst->dev xmit null pointer dereference
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix metadata dst->dev xmit null pointer dereference

When we try to transmit an skb with metadatadst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmixmit2() -> xfrmlookupwithifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so just add a check for a null dstorig->dev.

With this fix xfrm interface's Tx error counters go up as usual.

[1] net-next calltrace captured via netconsole: BUG: kernel NULL pointer dereference, address: 00000000000000c0 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 RIP: 0010:xfrmlookupwithifid+0x5eb/0xa60 Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 <f6> 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 Call Trace: <TASK> xfrmixmit+0xde/0x460 ? tcfbpfact+0x13d/0x2a0 devhardstartxmit+0x72/0x1e0 _devqueuexmit+0x251/0xd30 ipfinishoutput2+0x140/0x550 ippushpendingframes+0x56/0x80 rawsendmsg+0x663/0x10a0 ? trychargememcg+0x3fd/0x7a0 ? _modmemcglruvecstate+0x93/0x110 ? socksendmsg+0x30/0x40 socksendmsg+0x30/0x40 _syssendto+0xeb/0x130 ? handlemmfault+0xae/0x280 ? douseraddrfault+0x1e7/0x680 ? kvmreadandresetapfflags+0x3b/0x50 _x64syssendto+0x20/0x30 dosyscall64+0x34/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7ff35cac1366 Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIGRAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 </TASK> Modules linked in: netconsole veth brnetfilter bridge bonding virtio_net [last unloaded: netconsole] CR2: 00000000000000c0

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5b7f84b1f9f46327360a64c529433fa0d68cc3f4
Fixed
2761612bcde9776dd93ce60ce55ef0b7c7329153
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d151d39073aff498358543801fca0f670fea981
Fixed
96f2758a6d028d1ac08616de9c3c7ff2a122ecf1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d151d39073aff498358543801fca0f670fea981
Fixed
e26d676c1f9f335510780b566a10475c47ce03d0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d151d39073aff498358543801fca0f670fea981
Fixed
17ecd4a4db4783392edd4944f5e8268205083f70

Affected versions

v5.*

v5.10.118
v5.10.119
v5.10.120
v5.10.121
v5.10.122
v5.10.123
v5.10.124
v5.10.125
v5.10.126
v5.10.127
v5.10.128
v5.10.129
v5.10.130
v5.10.131
v5.10.132
v5.10.133
v5.10.134
v5.10.135
v5.10.136
v5.10.137
v5.10.138
v5.10.139
v5.14
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "121398707606240027798592663831883018422",
                "length": 2668.0
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e26d676c1f9f335510780b566a10475c47ce03d0",
            "target": {
                "function": "xfrm_lookup_with_ifid",
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-3d6ea786",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "digest": {
                "function_hash": "121398707606240027798592663831883018422",
                "length": 2668.0
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17ecd4a4db4783392edd4944f5e8268205083f70",
            "target": {
                "function": "xfrm_lookup_with_ifid",
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-532d14a9",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "digest": {
                "line_hashes": [
                    "135984075984079284958453316399444233442",
                    "152180051734543438205387181180733251867",
                    "311303586432946131708799278193319860128",
                    "161947333518438921545876133128930694633"
                ],
                "threshold": 0.9
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e26d676c1f9f335510780b566a10475c47ce03d0",
            "target": {
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-5e6467aa",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "digest": {
                "function_hash": "121398707606240027798592663831883018422",
                "length": 2668.0
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@96f2758a6d028d1ac08616de9c3c7ff2a122ecf1",
            "target": {
                "function": "xfrm_lookup_with_ifid",
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-66e66664",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Function"
        },
        {
            "digest": {
                "line_hashes": [
                    "135984075984079284958453316399444233442",
                    "152180051734543438205387181180733251867",
                    "311303586432946131708799278193319860128",
                    "161947333518438921545876133128930694633"
                ],
                "threshold": 0.9
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@96f2758a6d028d1ac08616de9c3c7ff2a122ecf1",
            "target": {
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-8ff2b7bc",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "digest": {
                "line_hashes": [
                    "135984075984079284958453316399444233442",
                    "152180051734543438205387181180733251867",
                    "311303586432946131708799278193319860128",
                    "161947333518438921545876133128930694633"
                ],
                "threshold": 0.9
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17ecd4a4db4783392edd4944f5e8268205083f70",
            "target": {
                "file": "net/xfrm/xfrm_policy.c"
            },
            "id": "CVE-2022-50004-9557103b",
            "signature_version": "v1",
            "deprecated": false,
            "signature_type": "Line"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.140
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.64
Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
5.19.6