CVE-2022-50679 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix DMA mappings leak

During reallocation of RX buffers, new DMA mappings are created for those buffers.

steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done

This resulted in crash: i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536 Driver BUG WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50 Call Trace: i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b Missing register, driver bug WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140 Call Trace: xdp_rxq_info_unreg+0x1e/0x50 i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b

This was caused because of new buffers with different RX ring count should substitute older ones, but those buffers were freed in i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi, thus kfree on rx_bi caused leak of already mapped DMA.

Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally reallocate back to rx_bi when BPF program unloads.

If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XSP_SETUP_XSK_POOL handler.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability CVE-2022-50679 represents a critical memory management flaw in the Intel i40e network driver for the Linux kernel, specifically addressing a DMA mapping leak during RX buffer reallocation operations. This issue stems from improper handling of memory resources when adjusting network ring parameters through ethtool commands, creating a condition where DMA mappings are not correctly freed during buffer reallocation processes. The flaw manifests when the driver attempts to reallocate RX buffers during runtime parameter changes, leading to a gradual accumulation of unreleased DMA mappings that eventually exhaust available memory resources.

The technical exploitation occurs through repeated execution of ethtool commands that modify RX ring parameters, specifically targeting the i40e network interface with commands like ethtool -G enp130s0f0 rx $i tx $i. This repetitive pattern triggers the driver's memory management routines to create new DMA mappings for RX buffers without properly cleaning up the previous mappings. The root cause lies in the i40e_configure_rx_ring function where new buffers are allocated and mapped, but older buffer information structures (rx_bi) are freed through kfree operations while their associated DMA mappings remain active in the system. This creates a memory leak scenario where DMA resources are consumed but never properly released, eventually leading to system instability and kernel crashes.

The operational impact of this vulnerability extends beyond simple resource exhaustion, as it can lead to complete system crashes and network interface failures. When the memory pool for RX descriptor rings becomes exhausted, the driver generates critical kernel warnings and ultimately crashes with the error message "Unable to allocate memory for the Rx descriptor ring, size=65536" and subsequent BUG messages in xdp_rxq_info_unreg functions. The crash occurs during the execution of netlink communication handlers and XDP (eXpress Data Path) operations, indicating that the memory leak affects core networking infrastructure components. This vulnerability particularly impacts systems running high-throughput network workloads where dynamic ring parameter adjustments are common, making it a significant concern for enterprise network infrastructure and cloud computing environments.

The fix implemented addresses the core memory management issue by introducing proper handling of zero-copy (ZC) buffer structures during BPF program lifecycle events. When BPF programs are loaded or unloaded, the driver now correctly reallocates the rx_bi_zc structures to maintain proper DMA mapping relationships, and transitions back to standard rx_bi structures when necessary. Additionally, the solution incorporates proper reallocation handling within the XSP_SETUP_XSK_POOL handler when XSK (XDP Socket) pools are created or destroyed, ensuring that DMA mappings are properly managed throughout the entire network interface lifecycle. This remediation aligns with CWE-401 Memory Leak and follows ATT&CK technique T1059.007 for system-level code execution, addressing the fundamental flaw in kernel memory management that allowed persistent resource consumption. The patch ensures that DMA mappings are consistently tracked and freed during buffer reallocation, preventing the accumulation of orphaned memory references that previously led to system instability and complete network interface failure.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!