{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: RDMA/core: Make sure \"ib_port\" is valid when access sysfs node",
    "id" : "2401529",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401529"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/core: Make sure \"ib_port\" is valid when access sysfs node\nThe \"ib_port\" structure must be set before adding the sysfs kobject,\nand reset after removing it, otherwise it may crash when accessing\nthe sysfs node:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000050\nMem abort info:\nESR = 0x96000006\nException class = DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nData abort info:\nISV = 0, ISS = 0x00000006\nCM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5\n[0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000\nInternal error: Oops: 96000006 [#2] PREEMPT SMP\nModules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]\nProcess grep (pid: 3372, stack limit = 0x0000000022055c92)\nCPU: 5 PID: 3372 Comm: grep Tainted: G      D    OE     4.19.161-mlnx.47.gadcd9e3 #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep  8 2022\npstate: 40000005 (nZcv daif -PAN -UAO)\npc : hw_stat_port_show+0x4c/0x80 [ib_core]\nlr : port_attr_show+0x40/0x58 [ib_core]\nsp : ffff000029f43b50\nx29: ffff000029f43b50 x28: 0000000019375000\nx27: ffff8007b821a540 x26: ffff000029f43e30\nx25: 0000000000008000 x24: ffff000000eaa958\nx23: 0000000000001000 x22: ffff8007a4ce3000\nx21: ffff8007baff8000 x20: ffff8007b9066ac0\nx19: ffff8007bae97578 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000\nx15: 0000000000000000 x14: 0000000000000000\nx13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000\nx9 : 0000000000000000 x8 : ffff8007a4ce4000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : ffff000000e6a280 x4 : ffff8007a4ce3000\nx3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab\nx1 : ffff8007b9066a10 x0 : ffff8007baff8000\nCall trace:\nhw_stat_port_show+0x4c/0x80 [ib_core]\nport_attr_show+0x40/0x58 [ib_core]\nsysfs_kf_seq_show+0x8c/0x150\nkernfs_seq_show+0x44/0x50\nseq_read+0x1b4/0x45c\nkernfs_fop_read+0x148/0x1d8\n__vfs_read+0x58/0x180\nvfs_read+0x94/0x154\nksys_read+0x68/0xd8\n__arm64_sys_read+0x28/0x34\nel0_svc_common+0x88/0x18c\nel0_svc_handler+0x78/0x94\nel0_svc+0x8/0xe8\nCode: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)", "A NULL pointer dereference flaw was found in the Linux kernel RDMA core's sysfs handling. A local user with access to InfiniBand sysfs nodes can read sysfs attributes while an InfiniBand port is being removed, causing the kernel to dereference a NULL ib_port pointer when the port structure has been freed but sysfs access is still possible, which results in a NULL pointer dereference and denial of service through kernel crash." ],
  "statement" : "The issue arises because sysfs attribute handlers fail to validate that the ib_port pointer is non-NULL before dereferencing it. When userspace accesses sysfs nodes under /sys/class/infiniband/ (such as port state, capabilities, or statistics), the kernel retrieves the associated port structure. During device removal or port state changes, the port structure can be freed while sysfs nodes still exist. If a sysfs read occurs during or after this removal, the code dereferences a NULL or freed ib_port pointer, causing a kernel crash. This can be triggered by simply reading sysfs attributes while removing or reconfiguring InfiniBand devices.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1988",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-372.9.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50475\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50475\nhttps://lore.kernel.org/linux-cve-announce/2025100438-CVE-2022-50475-b3ed@gregkh/T" ],
  "name" : "CVE-2022-50475",
  "csaw" : false
}