{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: dm thin: Fix UAF in run_timer_softirq()",
    "id" : "2405757",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2405757"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndm thin: Fix UAF in run_timer_softirq()\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\nBUG: KASAN: use-after-free in __run_timers+0x173/0x710\nWrite of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n<snip>\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x73/0x9f\nprint_report.cold+0x132/0xaa2\n_raw_spin_lock_irqsave+0xcd/0x160\n__run_timers+0x173/0x710\nkasan_report+0xad/0x110\n__run_timers+0x173/0x710\n__asan_store8+0x9c/0x140\n__run_timers+0x173/0x710\ncall_timer_fn+0x310/0x310\npvclock_clocksource_read+0xfa/0x250\nkvm_clock_read+0x2c/0x70\nkvm_clock_get_cycles+0xd/0x20\nktime_get+0x5c/0x110\nlapic_next_event+0x38/0x50\nclockevents_program_event+0xf1/0x1e0\nrun_timer_softirq+0x49/0x90\n__do_softirq+0x16e/0x62c\n__irq_exit_rcu+0x1fa/0x270\nirq_exit_rcu+0x12/0x20\nsysvec_apic_timer_interrupt+0x8e/0xc0\nOne of the concurrency UAF can be shown as below:\nuse                                  free\ndo_resume                           |\n__find_device_hash_cell           |\ndm_get                          |\natomic_inc(&md->holders)      |\n| dm_destroy\n|   __dm_destroy\n|     if (!dm_suspended_md(md))\n|     atomic_read(&md->holders)\n|     msleep(1)\ndm_resume                         |\n__dm_resume                     |\ndm_table_resume_targets       |\npool_resume                 |\ndo_waker  #add delay work |\ndm_put                            |\natomic_dec(&md->holders)        |\n|     dm_table_destroy\n|       pool_dtr\n|         __pool_dec\n|           __pool_destroy\n|             destroy_workqueue\n|             kfree(pool) # free pool\ntime out\n__do_softirq\nrun_timer_softirq # pool has already been freed\nThis can be easily reproduced using:\n1. create thin-pool\n2. dmsetup suspend pool\n3. dmsetup resume pool\n4. dmsetup remove_all # Concurrent with 3\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\nTherefore, cancelling timer again in __pool_destroy()." ],
  "statement" : "Fixes a use-after-free in device-mapper thin-provisioning where delayed works (waker, no_space_timeout) could still fire after a pool is freed during a concurrent dm_resume()/dm_destroy() sequence, leading to UAF in run_timer_softirq() and a kernel crash. Exploitation requires root/DM control (e.g., racing dmsetup resume with dmsetup remove), so the practical risk is local DoS during pool teardown rather than data exfiltration. For the CVSS the PR:H since triggering it needs high-privilege block-stack operations.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50563\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50563\nhttps://lore.kernel.org/linux-cve-announce/2025102207-CVE-2022-50563-995f@gregkh/T" ],
  "name" : "CVE-2022-50563",
  "csaw" : false
}