{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: sched: fix memory leak in tcindex_set_parms",
    "id" : "2396378",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396378"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: sched: fix memory leak in tcindex_set_parms\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810c287f00 (size 256):\ncomm \"syz-executor105\", pid 3600, jiffies 4294943292 (age 12.990s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\nbacktrace:\n[<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n[<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]\n[<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]\n[<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]\n[<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]\n[<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342\n[<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553\n[<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147\n[<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082\n[<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540\n[<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]\n[<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734\n[<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482\n[<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n[<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622\n[<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]\n[<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]\n[<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648\n[<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\nKernel uses tcindex_change() to change an existing\nfilter properties.\nYet the problem is that, during the process of changing,\nif `old_r` is retrieved from `p->perfect`, then\nkernel uses tcindex_alloc_perfect_hash() to newly\nallocate filter results, uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure, which triggers the above memory leak.\nTo be more specific, there are only two source for the `old_r`,\naccording to the tcindex_lookup(). `old_r` is retrieved from\n`p->perfect`, or `old_r` is retrieved from `p->h`.\n* If `old_r` is retrieved from `p->perfect`, kernel uses\ntcindex_alloc_perfect_hash() to newly allocate the\nfilter results. Then `r` is assigned with `cp->perfect + handle`,\nwhich is newly allocated. So condition `old_r && old_r != r` is\ntrue in this situation, and kernel uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure\n* If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL\naccording to the tcindex_lookup(). Considering that `cp->h`\nis directly copied from `p->h` and `p->perfect` is NULL,\n`r` is assigned with `tcindex_lookup(cp, handle)`, whose value\nshould be the same as `old_r`, so condition `old_r && old_r != r`\nis false in this situation, kernel ignores using\ntcindex_filter_result_init() to clear the old filter result.\nSo only when `old_r` is retrieved from `p->perfect` does kernel use\ntcindex_filter_result_init() to clear the old filter result, which\ntriggers the above memory leak.\nConsidering that there already exists a tc_filter_wq workqueue\nto destroy the old tcindex_d\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-07-18T00:00:00Z",
    "advisory" : "RHSA-2023:4130",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "kernel-0:4.18.0-372.64.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2023-07-18T00:00:00Z",
    "advisory" : "RHSA-2023:4130",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "kernel-0:4.18.0-372.64.1.el8_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50396\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50396\nhttps://lore.kernel.org/linux-cve-announce/2025091854-CVE-2022-50396-8b1b@gregkh/T" ],
  "name" : "CVE-2022-50396",
  "csaw" : false
}