CVE-2022-50369
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix null-ptr-deref in vkms_release() A null-ptr-deref is triggered when it tries to destroy the workqueue in vkms->output.composer_workq in vkms_release(). KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] CPU: 5 PID: 17193 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf #24 RIP: 0010:destroy_workqueue+0x2f/0x710 ... Call Trace: <TASK> ? vkms_config_debugfs_init+0x50/0x50 [vkms] __devm_drm_dev_alloc+0x15a/0x1c0 [drm] vkms_init+0x245/0x1000 [vkms] do_one_initcall+0xd0/0x4f0 do_init_module+0x1a4/0x680 load_module+0x6249/0x7110 __do_sys_finit_module+0x140/0x200 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The reason is that an OOM happened which triggers the destroy of the workqueue, however, the workqueue is alloced in the later process, thus a null-ptr-deref happened. A simple call graph is shown as below: vkms_init() vkms_create() devm_drm_dev_alloc() __devm_drm_dev_alloc() devm_drm_dev_init() devm_add_action_or_reset() devm_add_action() # an error happened devm_drm_dev_init_release() drm_dev_put() kref_put() drm_dev_release() vkms_release() destroy_workqueue() # null-ptr-deref happened vkms_modeset_init() vkms_output_init() vkms_crtc_init() # where the workqueue get allocated Fix this by checking if composer_workq is NULL before passing it to the destroy_workqueue() in vkms_release().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-09-17
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50369
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.20 (inc) to 5.10.173 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.99 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.16 (exc)
linux linux_kernel From 6.2 (inc) to 6.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash or become unstable due to a null pointer dereference when handling the VKMS driver. This could lead to denial of service (system crashes or reboots) on affected systems, potentially disrupting operations or services relying on the kernel's stability.


Can you explain this vulnerability to me?

This vulnerability is a null pointer dereference in the Linux kernel's vkms_release() function related to the virtual kernel mode setting (VKMS) driver. It occurs when the system tries to destroy a workqueue (vkms->output.composer_workq) that was never properly allocated due to an out-of-memory (OOM) condition. This leads to a null pointer dereference, which can cause the kernel to crash or behave unexpectedly. The fix involves checking if the workqueue pointer is NULL before attempting to destroy it.


What immediate steps should I take to mitigate this vulnerability?

Update the Linux kernel to a version where the vkms_release() function has been fixed to check if composer_workq is NULL before calling destroy_workqueue(). This prevents the null pointer dereference. Until an update is applied, avoid triggering conditions that cause out-of-memory (OOM) situations affecting the vkms driver, as the vulnerability is related to OOM handling in vkms_release().


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart