{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: NFSD: Protect against send buffer overflow in NFSv3 READDIR", "id" : "2401498", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401498" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-131", "details" : [ "A buffer management flaw was found in the Linux kernel's NFS server implementation in the NFSv3 READDIR operation handling. \nA remote client can trigger this issue by crafting an RPC call with an oversized RPC record header, which forces the server to shrink its response buffer allocation. This causes the READDIR response construction to write beyond the available buffer space, resulting in a send buffer overflow that leads to memory corruption, denial of service via crash, or potential data integrity issues." ], "statement" : "NFSD optimizes memory usage by sharing the same page array for both receiving RPC calls and sending replies, since operations typically don't need large buffers simultaneously. When an RPC call arrives, the response buffer size is calculated based on remaining pages after accounting for the received data. A malicious client can send a correctly-formed but deliberately oversized RPC record containing a small actual RPC call. The NFSD thread processes this normally, but the response buffer (rq_res) is now constrained. When constructing a READDIR reply, which can be quite large, the encoder writes past the truncated buffer boundary into adjacent kernel memory.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-02-21T00:00:00Z", "advisory" : "RHSA-2023:0832", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-425.13.1.el8_7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-16T00:00:00Z", "advisory" : "RHSA-2023:2951", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-477.10.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50487\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50487\nhttps://lore.kernel.org/linux-cve-announce/2025100441-CVE-2022-50487-f5ea@gregkh/T" ], "name" : "CVE-2022-50487", "csaw" : false }