CVE-2022-50334 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
Syzkaller reports a null-ptr-deref bug as follows: ====================================================== KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380 [...]
Call Trace: <TASK> vfs_parse_fs_param fs/fs_context.c:148 [inline]
vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129 vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191 generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231 do_new_mount fs/namespace.c:3036 [inline]
path_mount+0x12de/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...]
</TASK> ======================================================
According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length.
Yet the problem is that, hugetlbfs_parse_param() will dereference the param->string, without checking whether it is a null pointer. To be more specific, if hugetlbfs_parse_param() parses an illegal mount parameter, such as "size=,", kernel will constructs struct fs_parameter with null pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.
This patch solves it by adding sanity check on param->string in hugetlbfs_parse_param().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50334 represents a critical null pointer dereference flaw within the Linux kernel's hugetlbfs filesystem implementation. This issue manifests specifically in the hugetlbfs_parse_param() function located in fs/hugetlbfs/inode.c at line 1380, where the kernel fails to validate whether the parameter string pointer remains non-null before attempting to dereference it. The vulnerability was identified through systematic fuzzing by the Syzkaller project, which detected a kernel address sanitizer (KASAN) null pointer dereference error during filesystem parameter parsing operations. The root cause stems from the interaction between the VFS layer's parameter parsing mechanism and the hugetlbfs-specific parameter handler, creating a scenario where malformed mount parameters can trigger unexpected kernel crashes.
The technical exploitation pathway involves the kernel's handling of zero-length string values in filesystem parameter parsing. As documented in commit "vfs: parse: deal with zero length string value", the vfs_parse_fs_string() function explicitly sets param->string to a null pointer when encountering zero-length string values. However, the hugetlbfs_parse_param() function does not implement proper null pointer validation before accessing this parameter, creating a direct path for null pointer dereference when processing malformed mount options such as "size=,". This specific scenario occurs because the parameter parsing logic constructs a fs_parameter structure with a null string pointer, which is then passed unconditionally to the hugetlbfs-specific parsing function without prior validation, resulting in immediate kernel panic upon dereference.
This vulnerability directly maps to CWE-476, which describes the weakness of null pointer dereference in software systems, and aligns with ATT&CK technique T1059.003 for privilege escalation through kernel exploitation. The operational impact of this vulnerability is severe as it can cause system crashes and potential denial of service conditions when malicious or malformed mount parameters are processed through the hugetlbfs filesystem. Attackers could potentially leverage this flaw to induce kernel panics on systems utilizing huge page filesystems, particularly in environments where untrusted users might have access to mount operations. The vulnerability affects kernel versions where the specific null pointer dereference protection has not been implemented, making it particularly concerning for production systems that rely on hugetlbfs functionality for high-performance computing workloads.
The mitigation strategy involves implementing a simple but critical null pointer check within the hugetlbfs_parse_param() function before any dereference operations on the param->string pointer. This defensive programming approach aligns with the principle of input validation and follows established kernel security practices for parameter handling. The fix ensures that when the VFS layer passes a null string pointer due to zero-length parameter values, the hugetlbfs implementation gracefully handles this condition rather than proceeding to dereference the null pointer. This patch represents a standard security hardening measure that prevents exploitation of the null pointer dereference while maintaining full backward compatibility with legitimate parameter values, effectively closing the vulnerability without disrupting normal filesystem operations or breaking existing functionality.