{ "threat_severity" : "Moderate", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: nvme-pci: fix mempool alloc size", "id" : "2425209", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425209" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-119", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnvme-pci: fix mempool alloc size\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\nWhile unlikely to occur (you'd need a 4MB in exactly 127 phys segments\non a queue that doesn't support SGLs), this memory corruption has been\nobserved by kfence.", "A flaw was addressed in the Linux kernel’s nvme-pci driver related to how the driver calculated the worst-case number of PRP (Physical Region Page) lists required for a given I/O request. The implementation previously rounded the allocation to one list instead of correctly converting the maximum size into bytes before computing the divisor. Under certain rare conditions (for example, a 4 MiB transfer split across many physical segments on a queue that does not support SGLs), this calculation error could result in memory being corrupted beyond the size provided by the mempool. This memory corruption has been observed using kfence" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50756\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50756\nhttps://lore.kernel.org/linux-cve-announce/2025122453-CVE-2022-50756-ce43@gregkh/T" ], "name" : "CVE-2022-50756", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }