{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service and information disclosure via undefined bit shift in drm/ttm",
    "id" : "2396433",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396433"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-1335",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\nUBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26\nleft shift of 1 by 31 places cannot be represented in type 'int'\nCall Trace:\n<TASK>\ndump_stack_lvl+0x7d/0xa5\ndump_stack+0x15/0x1b\nubsan_epilogue+0xe/0x4e\n__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\nttm_bo_move_memcpy+0x3b4/0x460 [ttm]\nbo_driver_move+0x32/0x40 [drm_vram_helper]\nttm_bo_handle_move_mem+0x118/0x200 [ttm]\nttm_bo_validate+0xfa/0x220 [ttm]\ndrm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]\ndrm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]\ndrm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]\ndrm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]\ndrm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]\ndrm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]\ndrm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]\ndrm_atomic_commit+0x9c/0x160 [drm]\ndrm_client_modeset_commit_atomic+0x33a/0x380 [drm]\ndrm_client_modeset_commit_locked+0x77/0x220 [drm]\ndrm_client_modeset_commit+0x31/0x60 [drm]\n__drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]\ndrm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]\nfbcon_init+0x316/0x790\nvisual_init+0x113/0x1d0\ndo_bind_con_driver+0x2a3/0x5c0\ndo_take_over_console+0xa9/0x270\ndo_fbcon_takeover+0xa1/0x170\ndo_fb_registered+0x2a8/0x340\nfbcon_fb_registered+0x47/0xe0\nregister_framebuffer+0x294/0x4a0\n__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\ndrm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\ndrm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\ndrm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\nbochs_pci_probe+0x6ca/0x772 [bochs]\nlocal_pci_probe+0x4d/0xb0\npci_device_probe+0x119/0x320\nreally_probe+0x181/0x550\n__driver_probe_device+0xc6/0x220\ndriver_probe_device+0x32/0x100\n__driver_attach+0x195/0x200\nbus_for_each_dev+0xbb/0x120\ndriver_attach+0x27/0x30\nbus_add_driver+0x22e/0x2f0\ndriver_register+0xa9/0x190\n__pci_register_driver+0x90/0xa0\nbochs_pci_driver_init+0x52/0x1000 [bochs]\ndo_one_initcall+0x76/0x430\ndo_init_module+0x61/0x28a\nload_module+0x1f82/0x2e50\n__do_sys_finit_module+0xf8/0x190\n__x64_sys_finit_module+0x23/0x30\ndo_syscall_64+0x58/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n</TASK>", "A flaw was found in the Linux kernel's `drm/ttm` component. A local user could exploit an undefined behavior in bit shifting, specifically when a signed 32-bit value is shifted by 31 bits, which cannot be represented in an 'int' type. This vulnerability could lead to local information disclosure, potentially revealing sensitive system details. Additionally, it can result in a kernel warning or panic, causing a Denial of Service (DoS) for the affected system." ],
  "statement" : "This vulnerability is rated Low for Red Hat. The flaw in the Linux kernel's drm/ttm component, specifically an undefined behavior in bit shifting, could lead to local information disclosure and denial of service. This vulnerability could theoretically affect integrity, though it is unlikely and non-deterministic. Similarly, availability may be affected as the flaw can result in a kernel warning or panic.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50390\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50390\nhttps://lore.kernel.org/linux-cve-announce/2025091853-CVE-2022-50390-742c@gregkh/T" ],
  "name" : "CVE-2022-50390",
  "csaw" : false
}