{ "threat_severity" : "Low", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: tipc: fix a null-ptr-deref in tipc_topsrv_accept", "id" : "2402227", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402227" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntipc: fix a null-ptr-deref in tipc_topsrv_accept\nsyzbot found a crash in tipc_topsrv_accept:\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nWorkqueue: tipc_rcv tipc_topsrv_accept\nRIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487\nCall Trace:\n\ntipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460\nprocess_one_work+0x991/0x1610 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\nIt was caused by srv->listener that might be set to null by\ntipc_topsrv_stop() in net .exit whereas it's still used in\ntipc_topsrv_accept() worker.\nsrv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add\na check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to\navoid the null-ptr-deref. To ensure the lsock is not released during the\ntipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()\nwhere it's waiting until the tipc_topsrv_accept worker to be done.\nNote that sk_callback_lock is used to protect sk->sk_user_data instead of\nsrv->listener, and it should check srv in tipc_topsrv_listener_data_ready()\ninstead. This also ensures that no more tipc_topsrv_accept worker will be\nstarted after tipc_conn_close() is called in tipc_topsrv_stop() where it\nsets sk->sk_user_data to null." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50555\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50555\nhttps://lore.kernel.org/linux-cve-announce/2025100700-CVE-2022-50555-18e1@gregkh/T" ], "name" : "CVE-2022-50555", "csaw" : false }