CVE-2022-50666 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix QP destroy to wait for all references dropped.

Delay QP destroy completion until all siw references to QP are dropped. The calling RDMA core will free QP structure after successful return from siw_qp_destroy() call, so siw must not hold any remaining reference to the QP upon return. A use-after-free was encountered in xfstest generic/460, while testing NFSoRDMA. Here, after a TCP connection drop by peer, the triggered siw_cm_work_handler got delayed until after QP destroy call, referencing a QP which has already freed.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability identified as CVE-2022-50666 resides within the Linux kernel's RDMA subsystem, specifically affecting the siw (Simple iWARP) implementation that handles RDMA over Converged Ethernet connections. This issue manifests as a race condition during the destruction of Queue Pair (QP) structures, which are fundamental components in RDMA operations for managing data transfer between network endpoints. The problem occurs in the context of Network File System over RDMA (NFSoRDMA) testing scenarios where the kernel's RDMA core and siw implementation must coordinate properly during connection teardown operations.

The technical flaw stems from improper synchronization during QP destruction processes where the siw implementation fails to properly wait for all references to be released before completing the destruction operation. In normal operation, when an RDMA connection is terminated, the RDMA core calls siw_qp_destroy() to free the QP structure, but this function returns before ensuring that all pending references to the QP have been properly dereferenced. This design flaw creates a window where the QP structure can be freed while still being referenced by asynchronous work handlers, leading to memory corruption and potential system instability.

The operational impact of this vulnerability is significant as it can result in use-after-free conditions that may lead to system crashes, data corruption, or in worst-case scenarios, privilege escalation attacks. The vulnerability was specifically observed during testing of NFSoRDMA functionality where a TCP connection drop by a peer triggered a delayed siw_cm_work_handler that attempted to reference a QP structure that had already been freed by the RDMA core. This particular scenario demonstrates how the timing of asynchronous operations can create dangerous race conditions between the core RDMA subsystem and the siw implementation, potentially allowing attackers to exploit the memory management inconsistency.

This vulnerability maps to CWE-415: Double Free and CWE-416: Use After Free, both of which are classified under the Common Weakness Enumeration framework for memory safety issues in software systems. From an ATT&CK perspective, this weakness could be leveraged for privilege escalation or denial of service attacks, potentially falling under techniques such as T1499.002: Endpoint Denial of Service and T1068: Exploitation for Privilege Escalation. The fix implemented addresses this by ensuring that QP destruction completion waits for all siw references to be dropped before returning control to the calling RDMA core, thereby preventing the premature freeing of QP structures while references still exist. This mitigation aligns with best practices for concurrent programming and memory management in kernel space where proper reference counting and synchronization are essential to prevent race conditions and memory corruption scenarios.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!