{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: RDMA/rxe: Fix mr->map double free",
    "id" : "2402222",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402222"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1341",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/rxe: Fix mr->map double free\nrxe_mr_cleanup() which tries to free mr->map again will be called when\nrxe_mr_init_user() fails:\nCPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x45/0x5d\npanic+0x19e/0x349\nend_report.part.0+0x54/0x7c\nkasan_report.cold+0xa/0xf\nrxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\nrxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\nib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\nib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\nSimply let rxe_mr_cleanup() always handle freeing the mr->map once it is\nsuccessfully allocated.", "A double-free vulnerability was found in the Linux kernel RDMA RXE (soft-RoCE) driver's memory region handling. A local user with access to RDMA userspace verbs can register a memory region with parameters that cause initialization to fail, triggering error handling code that frees the mr->map structure twice, which leads to memory corruption and can result in denial of service via kernel crash or potentially privilege escalation through heap manipulation." ],
  "statement" : "The issue arises because of incorrect error handling in the memory region registration path. When rxe_reg_user_mr() calls rxe_mr_init_user() and initialization fails, the error path frees the mr->map structure. However, the cleanup then calls rxe_mr_cleanup() through __rxe_cleanup(), which attempts to free mr->map again, resulting in a double-free. This vulnerability was introduced when a previous fix for duplicate mapping tables was reverted, inadvertently reintroducing the double-free condition. Under normal circumstances, a local user with permissions to use RDMA verbs (typically requiring membership in the rdma group or CAP_IPC_LOCK capability) can trigger this by registering user memory regions with specific parameters that cause initialization failure. Double-free vulnerabilities are well-known memory corruption primitives; while direct exploitation for privilege escalation requires understanding kernel heap layout, they provide attackers with a foundation for more sophisticated attacks beyond simple denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-08T00:00:00Z",
    "advisory" : "RHSA-2025:22800",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.89.1.rt7.430.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-08T00:00:00Z",
    "advisory" : "RHSA-2025:22801",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.89.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0532",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.124.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0532",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.124.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50543\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50543\nhttps://lore.kernel.org/linux-cve-announce/2025100756-CVE-2022-50543-597d@gregkh/T" ],
  "name" : "CVE-2022-50543",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the rdma_rxe module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}