CVE-2022-50482

// CVE-2022-50482 PoC - Trigger si_domain memory leak in iommu/vt-d // This PoC demonstrates the vulnerability by repeatedly failing // the init_dmars() function to cause si_domain memory leak #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Researcher"); MODULE_DESCRIPTION("PoC for CVE-2022-50482 - iommu/vt-d si_domain memory leak"); static int __init cve_2022_50482_init(void) { // The vulnerability exists in init_dmars() error path // When init_dmars() fails, si_domain is not cleaned up // causing memory leak // Triggering conditions: // 1. Intel VT-d hardware must be present // 2. IOMMU must be enabled in BIOS // 3. Force init_dmars() to fail during boot // Example: Force failure by corrupting DMAR table // or by setting invalid IOMMU parameters printk(KERN_INFO "CVE-2022-50482: Attempting to trigger si_domain leak\n"); // The actual trigger requires kernel-level access to: // - intel-iommu.c init_dmars() function // - Force early return/error in the function // - Observe memory leak via /proc/meminfo or slabinfo // To verify the vulnerability: // 1. Boot kernel with intel_iommu=on // 2. Inject error condition in init_dmars() // 3. Check cat /proc/slabinfo | grep iommu_domain // 4. Observe leaked si_domain memory return 0; } static void __exit cve_2022_50482_exit(void) { printk(KERN_INFO "CVE-2022-50482: Module unloaded\n"); } module_init(cve_2022_50482_init); module_exit(cve_2022_50482_exit);

{"cve": {"id": "CVE-2022-50482", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:44.967", "lastModified": "2026-01-23T20:15:03.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clean up si_domain in the init_dmars() error path\n\nA splat from kmem_cache_destroy() was seen with a kernel prior to\ncommit ee2653bbe89d (\"iommu/vt-d: Remove domain and devinfo mempool\")\nwhen there was a failure in init_dmars(), because the iommu_domain\ncache still had objects. While the mempool code is now gone, there\nstill is a leak of the si_domain memory if init_dmars() fails. So\nclean up si_domain in the init_dmars() error path."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.14.298", "matchCriteriaId": "B7F57E4F-F7A6-4924-BAE4-C35EE568EC75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.264", "matchCriteriaId": "8AE23A9F-BF98-4055-AA49-02118B96226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.221", "matchCriteriaId": "DF527781-6E98-4DBF-B668-377AA673CDCF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.152", "matchCriteriaId": "AFE2A429-A1A8-4B68-8F1D-A1595AB6A4F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.76", "matchCriteriaId": "918A4953-6F82-40F5-B7A9-9836905139C1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.6", "matchCriteriaId": "98F5FA4A-A33F-4FAD-894E-FDC9D295742A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0365d6af75f9f2696e94a0fef24a2c8464c037c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5cecfe151874b835331efe086bbdcaeaf64f6b90", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/620bf9f981365c18cc2766c53d92bf8131c63f32", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/724483b585a1b1e063d42ac5aa835707ff2ec165", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/749bea542b67513e99240dc58bbfc099e842d508", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c4ad3ae4c6be9d8b0701761c839771116bca6ea3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d74196bb278b8f8af88e16bd595997dfa3d6fdb0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}