{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel (TIPC): Information disclosure via uninitialized memory in tipc_topsrv_kern_subscr",
    "id" : "2402274",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402274"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntipc: fix an information leak in tipc_topsrv_kern_subscr\nUse a 8-byte write to initialize sub.usr_handle in\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\nwhen issuing setsockopt(..., SOL_TIPC, ...).\nThis resulted in an infoleak reported by KMSAN when the packet was\nreceived:\n=====================================================\nBUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\ninstrument_copy_to_user ./include/linux/instrumented.h:121\ncopyout+0xbc/0x100 lib/iov_iter.c:169\n_copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\ncopy_to_iter ./include/linux/uio.h:176\nsimple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\n__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\nskb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\nskb_copy_datagram_msg ./include/linux/skbuff.h:3903\npacket_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\n____sys_recvmsg+0x2c4/0x810 net/socket.c:?\n___sys_recvmsg+0x217/0x840 net/socket.c:2743\n__sys_recvmsg net/socket.c:2773\n__do_sys_recvmsg net/socket.c:2783\n__se_sys_recvmsg net/socket.c:2780\n__x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\ndo_syscall_x64 arch/x86/entry/common.c:50\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n...\nUninit was stored to memory at:\ntipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\ntipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\ntipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\ntipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\ntipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\ntipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\n__sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\n__do_sys_setsockopt net/socket.c:2263\n__se_sys_setsockopt net/socket.c:2260\n__x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\ndo_syscall_x64 arch/x86/entry/common.c:50\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\nLocal variable sub created at:\ntipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\ntipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\nBytes 84-87 of 88 are uninitialized\nMemory access of size 88 starts at ffff88801ed57cd0\nData copied to user address 0000000020000400\n...\n=====================================================", "A flaw was found in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol. This vulnerability allows a local user to disclose sensitive information due to four uninitialized bytes in the sub.usr_handle field within the tipc_topsrv_kern_subscr() function. When a user issues a setsockopt call with SOL_TIPC, these uninitialized bytes can be leaked, leading to information disclosure." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50531\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50531\nhttps://lore.kernel.org/linux-cve-announce/2025100707-CVE-2022-50531-a29b@gregkh/T" ],
  "name" : "CVE-2022-50531",
  "csaw" : false
}