{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()",
    "id" : "2420274",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420274"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\nI found a null pointer reference in arch_prepare_kprobe():\n# echo 'p cmdline_proc_show' > kprobe_events\n# echo 'p cmdline_proc_show+16' >> kprobe_events\nKernel attempted to read user page (0) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nFaulting instruction address: 0xc000000000050bfc\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\nModules linked in:\nCPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\nNIP:  c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\nREGS: c0000000348475b0 TRAP: 0300   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\nMSR:  9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 88002444  XER: 20040006\nCFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n...\nNIP arch_prepare_kprobe+0x10c/0x2d0\nLR  arch_prepare_kprobe+0xfc/0x2d0\nCall Trace:\n0xc0000000012f77a0 (unreliable)\nregister_kprobe+0x3c0/0x7a0\n__register_trace_kprobe+0x140/0x1a0\n__trace_kprobe_create+0x794/0x1040\ntrace_probe_create+0xc4/0xe0\ncreate_or_delete_trace_kprobe+0x2c/0x80\ntrace_parse_run_command+0xf0/0x210\nprobes_write+0x20/0x40\nvfs_write+0xfc/0x450\nksys_write+0x84/0x140\nsystem_call_exception+0x17c/0x3a0\nsystem_call_vectored_common+0xe8/0x278\n--- interrupt: 3000 at 0x7fffa5682de0\nNIP:  00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\nREGS: c000000034847e80 TRAP: 3000   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\nMSR:  900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 44002408  XER: 00000000\nThe address being probed has some special:\ncmdline_proc_show: Probe based on ftrace\ncmdline_proc_show+16: Probe for the next instruction at the ftrace location\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n...\nprev = get_kprobe(p->addr - 1);\npreempt_enable_no_resched();\nif (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {\n...\nIf prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur\nwith a null pointer reference. At this point prev->addr will not be a\nprefixed instruction, so the check can be skipped.\nCheck if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'\nto fix this problem.\n[mpe: Trim oops]", "A flaw was found in the Linux kernel in arch_prepare_kprobe(): where certain error conditions are not properly validated before dereferencing a pointer. Under specific circumstances, this can result in a NULL pointer dereference in kernel space. If triggered, the kernel may generate an oops or panic, causing the system to become unstable or crash." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50635\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50635\nhttps://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50635-b2b8@gregkh/T" ],
  "name" : "CVE-2022-50635",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}