CVE-2022-50080

MEDIUM EPSS 12.1%
Published Jun 18, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jun 18, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tee: add overflow check in register_shm_helper() With special lengths supplied by user space, register_shm_helper() has an integer overflow when calculating the number of pages covered by a supplied user space memory region. This causes internal_get_user_pages_fast() a helper function of pin_user_pages_fast() to do a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Modules linked in: CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pc : internal_get_user_pages_fast+0x474/0xa80 Call trace: internal_get_user_pages_fast+0x474/0xa80 pin_user_pages_fast+0x24/0x4c register_shm_helper+0x194/0x330 tee_shm_register_user_buf+0x78/0x120 tee_ioctl+0xd0/0x11a0 __arm64_sys_ioctl+0xa8/0xec invoke_syscall+0x48/0x114 Fix this by adding an an explicit call to access_ok() in tee_shm_register_user_buf() to catch an invalid user space address early.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
12.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥4.16  –  <4.19.256
linuxlinux_kernel*≥4.20  –  <5.4.211
linuxlinux_kernel*≥5.5  –  <5.10.137
linuxlinux_kernel*≥5.11  –  <5.15.62
linuxlinux_kernel*≥5.16  –  <5.18.19
linuxlinux_kernel*≥5.19  –  <5.19.3
linuxlinux_kernel6.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/2f8e79a1a6128214cb9b205a9869341af5dfb16b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/573ae4f13f630d6660008f1974c0a8a29c30e18a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/578c349570d2a912401963783b36e0ec7a25c053
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58c008d4d398f792ca67f35650610864725518fd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/965333345fe952cc7eebc8e3a565ffc709441af2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b37e0f17653c00b586cdbcdf0dbca475358ecffd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c12f0e6126ad223806a365084e86370511654bf1
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2f8e79a1a6128214cb9b205a9869341af5dfb16b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/573ae4f13f630d6660008f1974c0a8a29c30e18a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/578c349570d2a912401963783b36e0ec7a25c053
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58c008d4d398f792ca67f35650610864725518fd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/965333345fe952cc7eebc8e3a565ffc709441af2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b37e0f17653c00b586cdbcdf0dbca475358ecffd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c12f0e6126ad223806a365084e86370511654bf1
    Patch