{ "threat_severity" : "Moderate", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: xfrm: policy: fix metadata dst->dev xmit null pointer dereference", "id" : "2373469", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373469" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxfrm: policy: fix metadata dst->dev xmit null pointer dereference\nWhen we try to transmit an skb with metadata_dst attached (i.e. dst->dev\n== NULL) through xfrm interface we can hit a null pointer dereference[1]\nin xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a\nloopback skb device when there's no policy which dereferences dst->dev\nunconditionally. Not having dst->dev can be interepreted as it not being\na loopback device, so just add a check for a null dst_orig->dev.\nWith this fix xfrm interface's Tx error counters go up as usual.\n[1] net-next calltrace captured via netconsole:\nBUG: kernel NULL pointer dereference, address: 00000000000000c0\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014\nRIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60\nCode: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02\nRSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80\nRBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000\nR10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880\nR13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\nFS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0\nCall Trace:\n\nxfrmi_xmit+0xde/0x460\n? tcf_bpf_act+0x13d/0x2a0\ndev_hard_start_xmit+0x72/0x1e0\n__dev_queue_xmit+0x251/0xd30\nip_finish_output2+0x140/0x550\nip_push_pending_frames+0x56/0x80\nraw_sendmsg+0x663/0x10a0\n? try_charge_memcg+0x3fd/0x7a0\n? __mod_memcg_lruvec_state+0x93/0x110\n? sock_sendmsg+0x30/0x40\nsock_sendmsg+0x30/0x40\n__sys_sendto+0xeb/0x130\n? handle_mm_fault+0xae/0x280\n? do_user_addr_fault+0x1e7/0x680\n? kvm_read_and_reset_apf_flags+0x3b/0x50\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x34/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7ff35cac1366\nCode: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89\nRSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366\nRDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003\nRBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\nR13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001\n\nModules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]\nCR2: 00000000000000c0", "A flaw was found in the XFRM policy support in the Linux kernel. A NULL pointer dereference can be triggered when a socket buffer is transmitted via an XFRM interface due to a missing check, resulting in a denial of service." ], "statement" : "This issue has been fixed in Red Hat Enterprise Linux 9.3 via RHSA-2023:6583 [1].\n[1]. https://access.redhat.com/errata/RHSA-2023:6583", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50004\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50004\nhttps://lore.kernel.org/linux-cve-announce/2025061829-CVE-2022-50004-88ff@gregkh/T" ], "name" : "CVE-2022-50004", "csaw" : false }