{
  "threat_severity" : "Low",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: seccomp: Move copy_seccomp() to no failure path",
    "id" : "2420323",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420323"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nseccomp: Move copy_seccomp() to no failure path.\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1].  It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process().  When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space.  In the failure path, we have to call seccomp_filter_release()\nto decrement the filter's refcount.\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\nTo keep the change and current seccomp refcount semantics, let's move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\ncomm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\nhex dump (first 32 bytes):\n01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................\nff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................\nbacktrace:\ndo_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\ncomm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\nbacktrace:\n__vmalloc_node_range (mm/vmalloc.c:3226)\n__vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\nbpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\nbpf_prog_alloc (kernel/bpf/core.c:129)\nbpf_prog_create_from_user (net/core/filter.c:1414)\ndo_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\ncomm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\nbacktrace:\nbpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\nbpf_prog_alloc (kernel/bpf/core.c:129)\nbpf_prog_create_from_user (net/core/filter.c:1414)\ndo_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\ncomm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\nhex dump (first 16 bytes):\n01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff  ..7.verl........\nbacktrace:\nbpf_prog_store_orig_filter (net/core/filter.c:1137)\nbpf_prog_create_from_user (net/core/filter.c:1428)\ndo_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---", "A memory leak flaw was found in the Linux kernel's seccomp subsystem. When a process using seccomp filters is interrupted by a fatal signal during clone(), the seccomp_filter structure and associated BPF program memory are not properly freed. This occurs because copy_seccomp() is called before the fatal_signal_pending() check, leaving allocated resources unreleased on the error path." ],
  "statement" : "Triggering this leak requires precise timing between signal delivery and clone() execution. While repeated exploitation could lead to memory exhaustion, practical impact is limited.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-09-12T00:00:00Z",
    "advisory" : "RHSA-2023:5069",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.30.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-09-12T00:00:00Z",
    "advisory" : "RHSA-2023:5069",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.30.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50661\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50661\nhttps://lore.kernel.org/linux-cve-announce/2025120942-CVE-2022-50661-ff17@gregkh/T" ],
  "name" : "CVE-2022-50661",
  "csaw" : false
}