CVE-2022-50253

MEDIUM EPSS 4.3%
Published Sep 15, 20259mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 15, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after __skb_pull?

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel* <4.14.303
linuxlinux_kernel*≥4.15  –  <4.19.270
linuxlinux_kernel*≥4.20  –  <5.4.229
linuxlinux_kernel*≥5.5  –  <5.10.163
linuxlinux_kernel*≥5.11  –  <5.15.86
linuxlinux_kernel*≥5.16  –  <6.0.16
linuxlinux_kernel*≥6.1  –  <6.1.2

References 8

  • git.kernel.org https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797
    Patch