CVE-2022-50441 in Linux
Summary
by MITRE • 10/01/2025
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Lag, fix failure to cancel delayed bond work
Commit 0d4e8ed139d8 ("net/mlx5: Lag, avoid lockdep warnings") accidentally removed a call to cancel delayed bond work thus it may cause queued delay to expire and fall on an already destroyed work queue.
Fix by restoring the call cancel_delayed_work_sync() before destroying the workqueue.
This prevents call trace such as this:
[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 329.231444] #PF: supervisor write access in kernel mode
[ 329.232233] #PF: error_code(0x0002) - not-present page
[ 329.233007] PGD 0 P4D 0
[ 329.233476] Oops: 0002 [#1] SMP
[ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1
[ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]
[ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20
[ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f
[ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046
[ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000
[ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000
[ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000
[ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000
[ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000
[ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000
[ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0
[ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 329.252176] PKRU: 55555554
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability described in CVE-2022-50441 affects the Linux kernel's mlx5 network driver implementation, specifically within the lag (link aggregation) functionality. This issue stems from a regression introduced in commit 0d4e8ed139d8 which inadvertently removed a critical call to cancel delayed work during the destruction of workqueues. The problem manifests when the system attempts to destroy a workqueue that contains delayed work items, leading to a potential race condition where queued work items may attempt to execute after the workqueue has been destroyed. This creates a scenario where kernel memory structures are accessed after deallocation, resulting in kernel NULL pointer dereferences and system crashes. The vulnerability represents a classic case of improper resource cleanup and workqueue management, where the absence of proper synchronization mechanisms during work item cancellation leads to memory safety violations.
The technical flaw occurs at the kernel level within the mlx5 driver's bond workqueue management system, specifically when the driver attempts to clean up network link aggregation resources. The removal of the cancel_delayed_work_sync() function call creates a window where delayed work items can be scheduled to execute after the workqueue has been destroyed. When these delayed work items eventually run, they attempt to access memory locations that have already been freed, causing the kernel to encounter NULL pointer dereferences. The call trace demonstrates a kernel oops condition where the _raw_spin_lock function fails due to accessing invalid memory addresses, indicating that the work item is attempting to operate on freed kernel structures. This type of vulnerability falls under CWE-415: Double Free, though more accurately represents a use-after-free condition in kernel space, and aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation through kernel memory corruption.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability and availability in production environments utilizing Mellanox network adapters. When triggered, the vulnerability can cause kernel panics and system reboots, leading to service disruption for network-dependent applications. The issue is particularly concerning in high-availability environments where network link aggregation is heavily utilized, as it can cause unexpected downtime during network transitions or system maintenance operations. The vulnerability affects systems running kernel versions that include the problematic commit, with the fix requiring a proper call to cancel_delayed_work_sync() before destroying the workqueue to ensure all pending delayed work items are properly canceled and flushed before resource deallocation occurs.
Mitigation strategies for CVE-2022-50441 involve applying the kernel patch that restores the cancel_delayed_work_sync() call in the mlx5 driver's workqueue cleanup routine. System administrators should ensure their kernels are updated to versions that include the fix, typically kernel version 6.0 or later where the regression has been corrected. Monitoring systems should be implemented to detect potential kernel oops conditions or system crashes that may indicate exploitation of this vulnerability. Additionally, organizations should maintain up-to-date kernel security patches and perform regular vulnerability assessments of their network infrastructure. The fix itself represents a defensive programming practice that ensures proper resource cleanup and prevents race conditions in concurrent kernel operations, aligning with best practices for kernel module development and memory management in Linux systems.