{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails",
    "id" : "2426143",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426143"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nudmabuf: Set ubuf->sg = NULL if the creation of sg table fails\nWhen userspace tries to map the dmabuf and if for some reason\n(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be\nset to NULL. Otherwise, when the userspace subsequently closes the\ndmabuf fd, we'd try to erroneously free the invalid sg table from\nrelease_udmabuf resulting in the following crash reported by syzbot:\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 3609 Comm: syz-executor487 Not tainted\n5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 07/22/2022\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\nCode: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c\n8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14\n02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2\nRSP: 0018:ffffc900037efd30 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000\nRBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000\nR13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000\nFS:  0000555555fc4300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\ndma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78\n__dentry_kill+0x42b/0x640 fs/dcache.c:612\ndentry_kill fs/dcache.c:733 [inline]\ndput+0x806/0xdb0 fs/dcache.c:913\n__fput+0x39c/0x9d0 fs/file_table.c:333\ntask_work_run+0xdd/0x1a0 kernel/task_work.c:177\nptrace_notify+0x114/0x140 kernel/signal.c:2353\nptrace_report_syscall include/linux/ptrace.h:420 [inline]\nptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]\nsyscall_exit_work kernel/entry/common.c:249 [inline]\nsyscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276\n__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]\nsyscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294\ndo_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fc1c0c35b6b\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24\n0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00\nf0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b\nRDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006\nRBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c\nR13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114", "A flaw was found in the Linux kernel’s udmabuf subsystem where the scatter-gather (sg) pointer was not properly set to NULL if creation of the sg table failed. If userspace attempts to map a dmabuf and the sg table allocation fails (e.g., due to memory exhaustion), the kernel later attempts to free an invalid sg pointer during dmabuf release, causing a NULL pointer dereference and kernel crash" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50819\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50819\nhttps://lore.kernel.org/linux-cve-announce/2025123015-CVE-2022-50819-361a@gregkh/T" ],
  "name" : "CVE-2022-50819",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}