CVE-2022-50555

MEDIUM EPSS 8.5%
Published Oct 7, 20258mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 7, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in tipc_topsrv_accept syzbot found a crash in tipc_topsrv_accept: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Workqueue: tipc_rcv tipc_topsrv_accept RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487 Call Trace: <TASK> tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 It was caused by srv->listener that might be set to null by tipc_topsrv_stop() in net .exit whereas it's still used in tipc_topsrv_accept() worker. srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to avoid the null-ptr-deref. To ensure the lsock is not released during the tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop() where it's waiting until the tipc_topsrv_accept worker to be done. Note that sk_callback_lock is used to protect sk->sk_user_data instead of srv->listener, and it should check srv in tipc_topsrv_listener_data_ready() instead. This also ensures that no more tipc_topsrv_accept worker will be started after tipc_conn_close() is called in tipc_topsrv_stop() where it sets sk->sk_user_data to null.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
8.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥4.17  –  <4.19.264
linuxlinux_kernel*≥4.20  –  <5.4.223
linuxlinux_kernel*≥5.5  –  <5.10.153
linuxlinux_kernel*≥5.11  –  <5.15.77
linuxlinux_kernel*≥5.16  –  <6.0.7
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d
    Patch