CVE-2022-50042

net: genl: fix error path memory leak in policy dumping

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: net: genl: fix error path memory leak in policy dumping If construction of the array of policies fails when recording
non-first policy we need to unwind. netlink_policy_dump_add_policy() itself also needs fixing as
it currently gives up on error without recording the allocated
pointer in the pstate pointer.

A flaw was found in the netlink driver in the Linux kernel. A memory leak can occur when allocated memory is not released in certain error cases, potentially impacting system performance and resulting in a denial of service.

In the Linux kernel, the following vulnerability has been resolved: net: genl: fix error path memory leak in policy dumping If construction of the array of policies fails when recording non-first policy we need to unwind. netlink_policy_dump_add_policy() itself also needs fixing as it currently gives up on error without recording the allocated pointer in the pstate pointer.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-06-18 CVE Reserved
2025-06-18 CVE Published
2025-06-18 CVE Updated
2025-08-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/50a896cf2d6f34e884a00139d6e6012c9833ace3	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/83411c9f05d5a8b637293b3389eca3d378197c04	2022-08-25
https://git.kernel.org/stable/c/b0672895d8be5d19d4b05ac83f807026fc791037	2022-08-25
https://git.kernel.org/stable/c/26b6acd365823e99e46be3b27500f5dc235dda5e	2022-08-25
https://git.kernel.org/stable/c/249801360db3dec4f73768c502192020bfddeacc	2022-08-18

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-50042	2023-11-21
https://bugzilla.redhat.com/show_bug.cgi?id=2373691	2023-11-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 5.10.138 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.138"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 5.15.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.15.63"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 5.19.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.19.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.0"		en		Affected