CVE-2022-50295 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
Syzkaller produced the below call trace:
BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399
CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_msg_ring+0x3cb/0x9f0 kasan_report+0xbc/0xf0 ? io_msg_ring+0x3cb/0x9f0 kasan_check_range+0x140/0x190 io_msg_ring+0x3cb/0x9f0 ? io_msg_ring_prep+0x300/0x300 io_issue_sqe+0x698/0xca0 io_submit_sqes+0x92f/0x1c30 __do_sys_io_uring_enter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ...
We don't have a NULL check on file_ptr in io_msg_send_fd() function, so when file_ptr is NUL src_file is also NULL and get_file() dereferences a NULL pointer and leads to above crash.
Add a NULL check to fix this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability described in CVE-2022-50295 represents a critical null pointer dereference flaw within the Linux kernel's io_uring implementation, specifically affecting the io_msg_send_fd() function. This issue manifests as a kernel panic due to improper validation of file pointer references during asynchronous I/O operations. The vulnerability was discovered through systematic testing using syzkaller, a coverage-guided fuzzer designed to identify kernel-level bugs. The call trace demonstrates a KASAN (Kernel Address Sanitizer) detection of a null pointer dereference occurring at address 0x70, which corresponds to a write operation of size 8 that triggers the kernel crash. The affected kernel version is 6.1.0-rc1, indicating this vulnerability exists in a recent development release and likely impacts multiple kernel versions.
The technical root cause of this vulnerability stems from the absence of a null pointer check within the io_msg_send_fd() function implementation. When the file_ptr parameter is null, the code proceeds to assign this null value to src_file, which then gets passed to get_file() function. The get_file() function attempts to dereference this null pointer, resulting in immediate kernel panic and system instability. This flaw aligns with CWE-476, which describes the use of a null pointer reference, and represents a classic case of inadequate input validation in kernel space code. The vulnerability specifically affects the io_uring subsystem's message ring functionality, which is part of the kernel's high-performance asynchronous I/O interface designed to handle thousands of I/O operations efficiently. The crash occurs during the io_msg_ring function execution, indicating that the issue is triggered when processing message ring operations that involve file descriptor passing.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential denial-of-service vector that could be exploited by malicious actors. An attacker with access to the system could potentially trigger this condition through crafted io_uring operations, leading to system instability and complete kernel panic. The vulnerability affects the io_uring subsystem's ability to properly handle file descriptor passing operations, which are fundamental to many high-performance applications and system services. This issue particularly impacts systems heavily dependent on asynchronous I/O operations, such as database servers, web servers, and high-throughput network applications. The null pointer dereference could also potentially provide a pathway for privilege escalation or information disclosure if exploited in conjunction with other vulnerabilities, making this a critical concern for system administrators and security professionals managing kernel-level services.
The fix for this vulnerability involves implementing a simple but crucial null pointer validation check within the io_msg_send_fd() function before proceeding with file operations. This remediation approach aligns with established security practices for kernel development and follows the principle of defensive programming. The solution directly addresses the root cause by ensuring that file_ptr is validated before being used to initialize src_file, preventing the subsequent null pointer dereference in get_file(). This fix demonstrates the importance of proper input validation in kernel space code, where even simple oversight can result in catastrophic system failures. The vulnerability also highlights the necessity of comprehensive testing and fuzzing of kernel subsystems, as evidenced by the syzkaller detection mechanism that identified this flaw. Organizations should prioritize applying the kernel patch that implements this null check, as it represents a straightforward but essential security measure that prevents the exploitation of this denial-of-service vulnerability and maintains system stability. The fix itself is minimal and low-risk, as it only adds a validation check without altering the core functionality or performance characteristics of the io_uring subsystem.