CVE-2022-50253

Source
https://cve.org/CVERecord?id=CVE-2022-50253
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50253.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50253
Downstream
Related
Published
2025-09-15T14:02:34.849Z
Modified
2026-07-09T18:30:07.385212961Z
Summary
bpf: make sure skb->len != 0 when redirecting to a tunneling device
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: make sure skb->len != 0 when redirecting to a tunneling device

syzkaller managed to trigger another case where skb->len == 0 when we enter __devqueuexmit:

WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skbassertlen include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __devqueuexmit+0x2069/0x35e0 net/core/dev.c:4295

Call Trace: devqueuexmit+0x17/0x20 net/core/dev.c:4406 __bpftxskb net/core/filter.c:2115 [inline] __bpfredirectno_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpfcloneredirect net/core/filter.c:2447 [inline] bpfcloneredirect+0x247/0x390 net/core/filter.c:2419 bpfprog48159a89cb4a9a16+0x59/0x5e bpfdispatchernop_func include/linux/bpf.h:897 [inline] __bpfprogrun include/linux/filter.h:596 [inline] bpfprogrun include/linux/filter.h:603 [inline] bpftestrun+0x46c/0x890 net/bpf/testrun.c:402 bpfprogtestrunskb+0xbdc/0x14c0 net/bpf/testrun.c:1170 bpfprogtest_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __dosysbpf kernel/bpf/syscall.c:5091 [inline] __sesysbpf kernel/bpf/syscall.c:5089 [inline] __x64sysbpf+0x7c/0x90 kernel/bpf/syscall.c:5089 dosyscall64+0x54/0x70 arch/x86/entry/common.c:48 entrySYSCALL64afterhwframe+0x61/0xc6

The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after _skbpull?

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50253.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d
Fixed
ffbccc5fb0a67424e12f7f8da210c04c8063f797
Fixed
e6a63203e5a90a39392fa1a7ffc60f5e9baf642a
Fixed
772431f30ca040cfbf31b791d468bac6a9ca74d3
Fixed
6d935a02658be82585ecb39aab339faa84496650
Fixed
5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5
Fixed
1b65704b8c08ae92db29f720d3b298031131da53
Fixed
f186303845a01cc7e991f9dc51d7e5a3cdc7aedb
Fixed
07ec7b502800ba9f7b8b15cb01dd6556bb41aaca

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50253.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.9.0
Fixed
4.14.303
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.270
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.229
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.163
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.86
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.16
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50253.json"