{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: drbd: only clone bio if we have a backing device",
    "id" : "2401575",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401575"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrbd: only clone bio if we have a backing device\nCommit c347a787e34cb (drbd: set ->bi_bdev in drbd_req_new) moved a\nbio_set_dev call (which has since been removed) to \"earlier\", from\ndrbd_request_prepare to drbd_req_new.\nThe problem is that this accesses device->ldev->backing_bdev, which is\nnot NULL-checked at this point. When we don't have an ldev (i.e. when\nthe DRBD device is diskless), this leads to a null pointer deref.\nSo, only allocate the private_bio if we actually have a disk. This is\nalso a small optimization, since we don't clone the bio to only to\nimmediately free it again in the diskless case.", "A NULL pointer dereference was found in the Linux kernel Distributed Replicated Block Device driver's I/O request handling. A local user with privileges to perform I/O operations on a DRBD block device can trigger I/O requests when the DRBD device is configured in diskless mode (no local backing device), causing the driver to dereference a NULL pointer when attempting to access the backing device structure, which results in denial of service through kernel crash." ],
  "statement" : "The issue arises because of a code refactoring that moved device structure access earlier in the I/O request path without adding proper NULL validation. When drbd_req_new() processes a new I/O request, it attempts to clone the bio and access device->ldev->backing_bdev to set up the backing device information. However, when DRBD is configured in diskless mode (a valid configuration where DRBD acts purely as a network replication layer without local storage), the ldev pointer is NULL. The code lacks a check for this condition before dereferencing the pointer chain, causing an immediate kernel NULL pointer dereference. This occurs reliably whenever I/O is attempted on a diskless DRBD device. While this causes complete system failure through kernel panic, NULL pointer dereferences on modern kernels with memory protection mechanisms cannot be exploited for code execution or information disclosure, only denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50506\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50506\nhttps://lore.kernel.org/linux-cve-announce/2025100422-CVE-2022-50506-1642@gregkh/T" ],
  "name" : "CVE-2022-50506",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the drbd module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}