CVE-2022-50307
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-12-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix out-of-bounds access on cio_ignore free The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as: echo free >/proc/cio_ignore Since an I/O device scan might interfer with running I/Os, commit 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") introduced an optimization to exclude online devices from the scan. The newly added check for online devices incorrectly assumes that an I/O-subchannel's drvdata points to a struct io_subchannel_private. For devices that are bound to a non-default I/O subchannel driver, such as the vfio_ccw driver, this results in an out-of-bounds read access during each scan. Fix this by changing the scan logic to rely on a driver-independent online indication. For this we can use struct subchannel->config.ena, which is the driver's requested subchannel-enabled state. Since I/Os can only be started on enabled subchannels, this matches the intent of the original optimization of not scanning devices where I/O might be running.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50307
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.1 (inc) to 5.15.78 (exc)
linux linux_kernel From 5.16 (inc) to 6.0.7 (exc)
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 6.1
linux linux_kernel 6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds read access in the Linux kernel's s390 channel-subsystem-driver. It occurs when the driver scans for newly available devices after device-IDs are removed from the cio_ignore list. An optimization introduced to exclude online devices from scanning incorrectly assumes a certain data structure for I/O subchannels. For devices using a non-default I/O subchannel driver, this assumption leads to out-of-bounds memory access during each scan. The fix changes the scan logic to use a driver-independent indication of whether a subchannel is enabled, preventing the out-of-bounds access.

Impact Analysis

This vulnerability can cause out-of-bounds memory reads in the Linux kernel on s390 systems when scanning devices, which may lead to system instability, crashes, or potential information disclosure depending on how the out-of-bounds data is handled.

Mitigation Strategies

To mitigate this vulnerability, avoid triggering the device scan that uses the cio_ignore free command until a patched kernel version is applied. Specifically, do not execute commands like 'echo free > /proc/cio_ignore' on affected systems. Apply the kernel update that includes the fix for the out-of-bounds access in the s390/cio driver as soon as it becomes available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart