CVE-2022-50310

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50310
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50310.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50310
Downstream
Published
2025-09-15T14:46:05.486Z
Modified
2026-04-02T08:28:24.578167Z
Summary
ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
Details

In the Linux kernel, the following vulnerability has been resolved:

ip6mr: fix UAF issue in ip6mrskdone() when addrconfinitnet() failed

If the initialization fails in calling addrconfinitnet(), devconfall is the pointer that has been released. Then ip6mrskdone() is called to release the net, accessing devconf->mcforwarding directly causes invalid pointer access.

The process is as follows: setupnet() opsinit() addrconfinitnet() all = kmemdup(...) ---> alloc "all" ... net->ipv6.devconf_all = all; __addrconfsysctlregister() ---> failed ... kfree(all); ---> ipv6.devconfall invalid ... opsexitlist() ... ip6mrskdone() devconf = net->ipv6.devconfall; //devconf is invalid pointer if (!devconf || !atomicread(&devconf->mcforwarding))

The following is the Call Trace information: BUG: KASAN: use-after-free in ip6mrskdone+0x112/0x3a0 Read of size 4 at addr ffff888075508e88 by task ip/14554 Call Trace: <TASK> dumpstacklvl+0x8e/0xd1 printreport+0x155/0x454 kasanreport+0xba/0x1f0 kasancheckrange+0x35/0x1b0 ip6mrskdone+0x112/0x3a0 rawv6close+0x48/0x70 inetrelease+0x109/0x230 inet6release+0x4c/0x70 sockrelease+0x87/0x1b0 igmp6netexit+0x6b/0x170 opsexitlist+0xb0/0x170 setupnet+0x7ac/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7f7963322547

</TASK> Allocated by task 14554: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmallocnodetrackcaller+0x4a/0xb0 kmemdup+0x28/0x60 addrconfinitnet+0x1be/0x840 opsinit+0xa5/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Freed by task 14554: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefree_info+0x2a/0x40 ____kasanslabfree+0x155/0x1b0 slabfreefreelist_hook+0x11b/0x220 __kmemcachefree+0xa4/0x360 addrconfinitnet+0x623/0x840 opsinit+0xa5/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50310.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d9b1b578d67a14ae7a7a526ee115b233fa264c4
Fixed
22a68c3b9362eaac7b035eba09e95e6b3f7a912c
Fixed
1ca695207ed2271ecbf8ee6c641970f621c157cc

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50310.json"