CVE-2022-50425

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50425
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50425.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50425
Downstream
Related
Published
2025-10-01T11:42:04Z
Modified
2025-10-15T02:05:16.034347Z
Summary
x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Fix copyxstateto_uabi() to copy init states correctly

When an extended state component is not present in fpstate, but in init state, the function copies from initfpstate via copyfeature().

But, dynamic states are not present in initfpstate because of all-zeros init states. Then retrieving them from initfpstate will explode like this:

BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:memcpyerms+0x6/0x10 ? _copyxstatetouabibuf+0x381/0x870 fpucopyguestfpstatetouabi+0x28/0x80 kvmarchvcpuioctl+0x14c/0x1460 [kvm] ? _thiscpupreemptcheck+0x13/0x20 ? vmxvcpuput+0x2e/0x260 [kvmintel] kvmvcpuioctl+0xea/0x6b0 [kvm] ? kvmvcpuioctl+0xea/0x6b0 [kvm] ? _fgetlight+0xd4/0x130 _x64sysioctl+0xe3/0x910 ? debugsmpprocessorid+0x17/0x20 ? fpregsassertstateconsistent+0x27/0x50 dosyscall64+0x3f/0x90 entrySYSCALL64afterhwframe+0x63/0xcd

Adjust the 'mask' to zero out the userspace buffer for the features that are not available both from fpstate and from init_fpstate.

The dynamic features depend on the compacted XSAVE format. Ensure it is enabled before reading XCOMPBV in initfpstate.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2308ee57d93d896618dd65c996429c9d3e469fe0
Fixed
6ff29642fd28965a8f8d6d326ac91bf6075f3113
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2308ee57d93d896618dd65c996429c9d3e469fe0
Fixed
471f0aa7fa64e23766a1473b32d9ec3f0718895a

Affected versions

v5.*

v5.15
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.1-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2022-50425-5375caa5",
            "signature_type": "Function",
            "target": {
                "file": "arch/x86/kernel/fpu/xstate.c",
                "function": "__copy_xstate_to_uabi_buf"
            },
            "deprecated": false,
            "digest": {
                "length": 2027.0,
                "function_hash": "144349350590957341644678853625280701678"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@471f0aa7fa64e23766a1473b32d9ec3f0718895a"
        },
        {
            "id": "CVE-2022-50425-70bde7cc",
            "signature_type": "Line",
            "target": {
                "file": "arch/x86/kernel/fpu/xstate.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "61622929075303229338973133813567692363",
                    "245984901521861797835041006183940373720",
                    "202196174523217293186534354396114288557"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@471f0aa7fa64e23766a1473b32d9ec3f0718895a"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.7