{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: hsr: avoid possible NULL deref in skb_clone()",
    "id" : "2426194",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426194"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: hsr: avoid possible NULL deref in skb_clone()\nsyzbot got a crash [1] in skb_clone(), caused by a bug\nin hsr_get_untagged_frame().\nWhen/if create_stripped_skb_hsr() returns NULL, we must\nnot attempt to call skb_clone().\nWhile we are at it, replace a WARN_ONCE() by netdev_warn_once().\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nRIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641\nCode: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00\nRSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207\nRAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000\nRDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140\nR10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640\nR13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620\nFS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nhsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164\nhsr_forward_do net/hsr/hsr_forward.c:461 [inline]\nhsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623\nhsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69\n__netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379\n__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483\n__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599\nnetif_receive_skb_internal net/core/dev.c:5685 [inline]\nnetif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744\ntun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544\ntun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995\ntun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x9e9/0xdd0 fs/read_write.c:584\nksys_write+0x127/0x250 fs/read_write.c:637\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "A flaw was found in the Linux kernel’s High-availability Seamless Redundancy (HSR) network subsystem. When the helper function create_stripped_skb_hsr() returns NULL, the subsequent call to skb_clone() occurs without validating the returned pointer, leading to a potential NULL pointer dereference. Under certain conditions this could cause a kernel crash (denial of service) affecting systems handling HSR traffic." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50817\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50817\nhttps://lore.kernel.org/linux-cve-announce/2025123015-CVE-2022-50817-55d8@gregkh/T" ],
  "name" : "CVE-2022-50817",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}