CVE-2022-50459

MEDIUM EPSS 4.8%
Published Oct 1, 20259mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 1, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername() Fix a NULL pointer crash that occurs when we are freeing the socket at the same time we access it via sysfs. The problem is that: 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold() does a get on the "struct sock". 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put on the "struct socket" and that does __sock_release() which sets the sock->ops to NULL. 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then call kernel_getpeername() which accesses the NULL sock->ops. Above we do a get on the "struct sock", but we needed a get on the "struct socket". Originally, we just held the frwd_lock the entire time but in commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()") we switched to refcount based because the network layer changed and started taking a mutex in that path, so we could no longer hold the frwd_lock. Instead of trying to maintain multiple refcounts, this just has us use a mutex for accessing the socket in the interface code paths.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥5.8.14  –  <5.9
linuxlinux_kernel*≥5.9.1  –  <5.10.150
linuxlinux_kernel*≥5.11  –  <5.15.75
linuxlinux_kernel*≥5.16  –  <5.19.17
linuxlinux_kernel*≥6.0  –  <6.0.3
linuxlinux_kernel5.9any
linuxlinux_kernel5.9any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2
    Patch