{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/tunnel: wait until all sk_user_data reader finish before releasing the sock",
    "id" : "2396526",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396526"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-820",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/tunnel: wait until all sk_user_data reader finish before releasing the sock\nThere is a race condition in vxlan that when deleting a vxlan device\nduring receiving packets, there is a possibility that the sock is\nreleased after getting vxlan_sock vs from sk_user_data. Then in\nlater vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got\nNULL pointer dereference. e.g.\n#0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757\n#1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d\n#2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48\n#3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b\n#4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb\n#5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542\n#6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62\n[exception RIP: vxlan_ecn_decapsulate+0x3b]\nRIP: ffffffffc1014e7b  RSP: ffffa25ec6978cb0  RFLAGS: 00010246\nRAX: 0000000000000008  RBX: ffff8aa000888000  RCX: 0000000000000000\nRDX: 000000000000000e  RSI: ffff8a9fc7ab803e  RDI: ffff8a9fd1168700\nRBP: ffff8a9fc7ab803e   R8: 0000000000700000   R9: 00000000000010ae\nR10: ffff8a9fcb748980  R11: 0000000000000000  R12: ffff8a9fd1168700\nR13: ffff8aa000888000  R14: 00000000002a0000  R15: 00000000000010ae\nORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n#7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]\n#8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507\n#9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45\n#10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807\n#11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951\n#12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde\n#13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b\n#14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139\n#15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a\n#16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3\n#17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca\n#18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3\nReproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh\nFix this by waiting for all sk_user_data reader to finish before\nreleasing the sock." ],
  "statement" : "A race in udp_tunnel_sock_release() could free the UDP tunnel socket while in-flight RX code still dereferences sk_user_data, leading to a NULL dereference or use-after-free (e.g., with VXLAN during interface removal under load). The fix adds an synchronize_rcu() after clearing sk_user_data to wait for all RCU readers to finish before releasing the socket. Practically, this is triggerable by a local administrator (NET_ADMIN) tearing down a UDP-based tunnel amid heavy traffic.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50405\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50405\nhttps://lore.kernel.org/linux-cve-announce/2025091852-CVE-2022-50405-8450@gregkh/T" ],
  "name" : "CVE-2022-50405",
  "csaw" : false
}