{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: md-raid10: fix KASAN warning",
    "id" : "2373662",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373662"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-823",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd-raid10: fix KASAN warning\nThere's a KASAN warning in raid10_remove_disk when running the lvm\ntest lvconvert-raid-reshape.sh. We fix this warning by verifying that the\nvalue \"number\" is valid.\nBUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]\nRead of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682\nCPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x34/0x44\nprint_report.cold+0x45/0x57a\n? __lock_text_start+0x18/0x18\n? raid10_remove_disk+0x61/0x2a0 [raid10]\nkasan_report+0xa8/0xe0\n? raid10_remove_disk+0x61/0x2a0 [raid10]\nraid10_remove_disk+0x61/0x2a0 [raid10]\nBuffer I/O error on dev dm-76, logical block 15344, async page read\n? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0\nremove_and_add_spares+0x367/0x8a0 [md_mod]\n? super_written+0x1c0/0x1c0 [md_mod]\n? mutex_trylock+0xac/0x120\n? _raw_spin_lock+0x72/0xc0\n? _raw_spin_lock_bh+0xc0/0xc0\nmd_check_recovery+0x848/0x960 [md_mod]\nraid10d+0xcf/0x3360 [raid10]\n? sched_clock_cpu+0x185/0x1a0\n? rb_erase+0x4d4/0x620\n? var_wake_function+0xe0/0xe0\n? psi_group_change+0x411/0x500\n? preempt_count_sub+0xf/0xc0\n? _raw_spin_lock_irqsave+0x78/0xc0\n? __lock_text_start+0x18/0x18\n? raid10_sync_request+0x36c0/0x36c0 [raid10]\n? preempt_count_sub+0xf/0xc0\n? _raw_spin_unlock_irqrestore+0x19/0x40\n? del_timer_sync+0xa9/0x100\n? try_to_del_timer_sync+0xc0/0xc0\n? _raw_spin_lock_irqsave+0x78/0xc0\n? __lock_text_start+0x18/0x18\n? _raw_spin_unlock_irq+0x11/0x24\n? __list_del_entry_valid+0x68/0xa0\n? finish_wait+0xa3/0x100\nmd_thread+0x161/0x260 [md_mod]\n? unregister_md_personality+0xa0/0xa0 [md_mod]\n? _raw_spin_lock_irqsave+0x78/0xc0\n? prepare_to_wait_event+0x2c0/0x2c0\n? unregister_md_personality+0xa0/0xa0 [md_mod]\nkthread+0x148/0x180\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x1f/0x30\n</TASK>\nAllocated by task 124495:\nkasan_save_stack+0x1e/0x40\n__kasan_kmalloc+0x80/0xa0\nsetup_conf+0x140/0x5c0 [raid10]\nraid10_run+0x4cd/0x740 [raid10]\nmd_run+0x6f9/0x1300 [md_mod]\nraid_ctr+0x2531/0x4ac0 [dm_raid]\ndm_table_add_target+0x2b0/0x620 [dm_mod]\ntable_load+0x1c8/0x400 [dm_mod]\nctl_ioctl+0x29e/0x560 [dm_mod]\ndm_compat_ctl_ioctl+0x7/0x20 [dm_mod]\n__do_compat_sys_ioctl+0xfa/0x160\ndo_syscall_64+0x90/0xc0\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nLast potentially related work creation:\nkasan_save_stack+0x1e/0x40\n__kasan_record_aux_stack+0x9e/0xc0\nkvfree_call_rcu+0x84/0x480\ntimerfd_release+0x82/0x140\nL __fput+0xfa/0x400\ntask_work_run+0x80/0xc0\nexit_to_user_mode_prepare+0x155/0x160\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x42/0xc0\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nSecond to last potentially related work creation:\nkasan_save_stack+0x1e/0x40\n__kasan_record_aux_stack+0x9e/0xc0\nkvfree_call_rcu+0x84/0x480\ntimerfd_release+0x82/0x140\n__fput+0xfa/0x400\ntask_work_run+0x80/0xc0\nexit_to_user_mode_prepare+0x155/0x160\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x42/0xc0\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nThe buggy address belongs to the object at ffff889108f3d200\nwhich belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 0 bytes to the right of\n256-byte region [ffff889108f3d200, ffff889108f3d300)\nThe buggy address belongs to the physical page:\npage:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c\nhead:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0\nflags: 0x4000000000010200(slab|head|zone=2)\nraw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40\nraw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff889108f3d280: 00 00\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-09-30T00:00:00Z",
    "advisory" : "RHSA-2025:17109",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7",
    "package" : "kernel-rt-0:3.10.0-1160.140.1.rt56.1292.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17161",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "kernel-0:3.10.0-1160.141.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15656",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.168.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17124",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.162.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17124",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.162.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17124",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.162.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17159",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.148.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-10-01T00:00:00Z",
    "advisory" : "RHSA-2025:17192",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.148.1.rt21.220.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50211\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50211\nhttps://lore.kernel.org/linux-cve-announce/2025061843-CVE-2022-50211-393a@gregkh/T" ],
  "name" : "CVE-2022-50211",
  "csaw" : false
}