{ "threat_severity" : "Moderate", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Privilege escalation via out-of-bounds write in RDMA/siw", "id" : "2425020", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425020" }, "cvss3" : { "cvss3_base_score" : "5.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/siw: Fix immediate work request flush to completion queue\nCorrectly set send queue element opcode during immediate work request\nflushing in post sendqueue operation, if the QP is in ERROR state.\nAn undefined ocode value results in out-of-bounds access to an array\nfor mapping the opcode between siw internal and RDMA core representation\nin work completion generation. It resulted in a KASAN BUG report\nof type 'global-out-of-bounds' during NFSoRDMA testing.\nThis patch further fixes a potential case of a malicious user which may\nwrite undefined values for completion queue elements status or opcode,\nif the CQ is memory mapped to user land. It avoids the same out-of-bounds\naccess to arrays for status and opcode mapping as described above.", "A flaw was identified in the Linux kernel RDMA (siw) implementation where an undefined opcode value could be used during immediate work request flushing while in an error state. The send queue element opcode was not correctly set, which could lead to an out-of-bounds access when mapping between the SoftiWARP internal representation and the RDMA core representation in work completion generation. On some test configurations (e.g., NFSoRDMA testing), this resulted in a KASAN BUG report of type global-out-of-bounds. Additionally, a malicious local user with access to a memory-mapped completion queue (CQ) could supply undefined values for completion queue element status or opcode, leading to similar out-of-bounds array access." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50736\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50736\nhttps://lore.kernel.org/linux-cve-announce/2025122422-CVE-2022-50736-1cb3@gregkh/T" ], "name" : "CVE-2022-50736", "mitigation" : { "value" : "To mitigate this issue, prevent the `siw` kernel module from loading. Create a file named `/etc/modprobe.d/disable-siw.conf` with the following content:\n`install siw /bin/true`\nAfter creating the file, regenerate the initramfs and reboot the system for the changes to take effect. This mitigation may impact functionality that relies on the Shared-memory InfiniBand Work (siw) component.", "lang" : "en:us" }, "csaw" : false }