{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/mlx5: Fix possible use-after-free in async command interface",
    "id" : "2425054",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425054"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: Fix possible use-after-free in async command interface\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\nelevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\nis about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\nimmediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\nobject.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\nobject.\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\nTrace:\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x57/0x7d\nprint_report.cold+0x2d5/0x684\n? do_raw_spin_lock+0x23d/0x270\nkasan_report+0xb1/0x1a0\n? do_raw_spin_lock+0x23d/0x270\ndo_raw_spin_lock+0x23d/0x270\n? rwlock_bug.part.0+0x90/0x90\n? __delete_object+0xb8/0x100\n? lock_downgrade+0x6e0/0x6e0\n_raw_spin_lock_irqsave+0x43/0x60\n? __wake_up_common_lock+0xb9/0x140\n__wake_up_common_lock+0xb9/0x140\n? __wake_up_common+0x650/0x650\n? destroy_tis_callback+0x53/0x70 [mlx5_core]\n? kasan_set_track+0x21/0x30\n? destroy_tis_callback+0x53/0x70 [mlx5_core]\n? kfree+0x1ba/0x520\n? do_raw_spin_unlock+0x54/0x220\nmlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\nmlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n? dump_command+0xcc0/0xcc0 [mlx5_core]\n? lockdep_hardirqs_on_prepare+0x400/0x400\n? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\ncmd_comp_notifier+0x7e/0xb0 [mlx5_core]\natomic_notifier_call_chain+0xd7/0x1d0\nmlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\natomic_notifier_call_chain+0xd7/0x1d0\n? irq_release+0x140/0x140 [mlx5_core]\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x1f2/0x620\nhandle_irq_event+0xb2/0x1d0\nhandle_edge_irq+0x21e/0xb00\n__common_interrupt+0x79/0x1a0\ncommon_interrupt+0x78/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n? default_idle_call+0xcc/0x450\ndefault_idle_call+0xec/0x450\ndo_idle+0x394/0x450\n? arch_cpu_idle_exit+0x40/0x40\n? do_idle+0x17/0x450\ncpu_startup_entry+0x19/0x20\nstart_secondary+0x221/0x2b0\n? set_cpu_sibling_map+0x2070/0x2070\nsecondary_startup_64_no_verify+0xcd/0xdb\n</TASK>\nAllocated by task 49502:\nkasan_save_stack+0x1e/0x40\n__kasan_kmalloc+0x81/0xa0\nkvmalloc_node+0x48/0xe0\nmlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\nmlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\nmlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\nmlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\nmlx5e_detach_netdev+0x1c\n---truncated---", "A flaw was found in the net/mlx5 subsystem of the Linux kernel where a race condition in the asynchronous command interface can lead to a use-after-free condition. The function mlx5_cmd_cleanup_async_ctx may return before all callback handlers have completed, allowing the context to be freed while another thread still references it. Under certain sequences of events, this can result in invalid memory access and potentially escalate privileges or cause kernel instability on affected systems" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50726\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50726\nhttps://lore.kernel.org/linux-cve-announce/2025122418-CVE-2022-50726-2f42@gregkh/T" ],
  "name" : "CVE-2022-50726",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}