DEBIAN-CVE-2022-50780

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-50780
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50780.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-50780
Upstream
Published
2025-12-24T13:16:04.843Z
Modified
2025-12-25T11:14:40.472211Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: net: fix UAF issue in nfqnlnfhookdrop() when opsinit() failed When the opsinit() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnlnfhookdrop() is invoked to release the net, invalid address access occurs. The process is as follows: setupnet() opsinit() data = kzalloc(...) ---> alloc "data" netassigngeneric() ---> assign "date" to ptr in net->gen ... ops->init() ---> failed ... kfree(data); ---> ptr in net->gen is invalid ... opsexitlist() ... nfqnlnfhookdrop() *q = nfnlqueuepernet(net) ---> q is invalid The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnlnfhookdrop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace: <TASK> dumpstacklvl+0x8e/0xd1 printreport+0x155/0x454 kasanreport+0xba/0x1f0 nfqnlnfhookdrop+0x264/0x280 nfqueuenfhookdrop+0x8b/0x1b0 nfunregisternethook+0x1ae/0x5a0 nfunregisternethooks+0xde/0x130 opsexitlist+0xb0/0x170 setupnet+0x7ac/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 _x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 </TASK> Allocated by task 15855: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 _kasankmalloc+0xa1/0xb0 _kmalloc+0x49/0xb0 opsinit+0xe7/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 _x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 Freed by task 15855: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefreeinfo+0x2a/0x40 kasanslabfree+0x155/0x1b0 slabfreefreelisthook+0x11b/0x220 _kmemcachefree+0xa4/0x360 opsinit+0xb9/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 _x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.158-1

Affected versions

5.*
5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50780.json"

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50780.json"

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50780.json"

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50780.json"