{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: vhost-vdpa memory leak leading to Denial of Service",
    "id" : "2425101",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425101"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvhost-vdpa: fix an iotlb memory leak\nBefore commit 3d5698793897 (\"vhost-vdpa: introduce asid based IOTLB\")\nwe called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during\nrelease to free all the resources allocated when processing user IOTLB\nmessages through vhost_vdpa_process_iotlb_update().\nThat commit changed the handling of IOTLB a bit, and we accidentally\nremoved some code called during the release.\nWe partially fixed this with commit 037d4305569a (\"vhost-vdpa: call\nvhost_vdpa_cleanup during the release\") but a potential memory leak is\nstill there as showed by kmemleak if the application does not send\nVHOST_IOTLB_INVALIDATE or crashes:\nunreferenced object 0xffff888007fbaa30 (size 16):\ncomm \"blkio-bench\", pid 914, jiffies 4294993521 (age 885.500s)\nhex dump (first 16 bytes):\n40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00  @sA.............\nbacktrace:\n[<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0\n[<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]\n[<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost]\n[<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]\n[<00000000de1cd4a0>] vfs_write+0x216/0x4b0\n[<00000000a2850200>] ksys_write+0x71/0xf0\n[<00000000de8e720b>] __x64_sys_write+0x19/0x20\n[<0000000018b12cbb>] do_syscall_64+0x3f/0x90\n[<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\nLet's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in\nvhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup()\nsince we need a valid v->vdev.mm in vhost_vdpa_pa_unmap().\nvhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap()\non the whole range removes all the entries.\nThe kmemleak log reported was observed with a vDPA device that has `use_va`\nset to true (e.g. VDUSE). This patch has been tested with both types of\ndevices.", "A flaw was found in the Linux kernel's vhost-vdpa component. This memory leak vulnerability occurs when an application using vhost-vdpa fails to properly invalidate I/O Translation Lookaside Buffer (IOTLB) entries or crashes. A local attacker or application could exploit this flaw, leading to memory exhaustion and potentially a Denial of Service (DoS) on the affected system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50738\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50738\nhttps://lore.kernel.org/linux-cve-announce/2025122447-CVE-2022-50738-d561@gregkh/T" ],
  "name" : "CVE-2022-50738",
  "csaw" : false
}