CVE-2022-50706 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
net/ieee802154: don't warn zero-sized raw_sendmsg()
syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0.
Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0.
---------- #include <sys/socket.h> #include <netinet/in.h>
int main(int argc, char *argv[])
{
struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
struct iovec iov = { };
struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); return 0; } ----------
Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") should be reverted, for skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability identified as CVE-2022-50706 represents a kernel-level issue within the Linux networking subsystem that affects IEEE802154 protocol handling. This flaw manifests in the net/ieee802154 subsystem where zero-sized raw_sendmsg() operations trigger unexpected behavior in the packet transmission pipeline. The vulnerability was discovered through automated testing by syzbot which consistently encountered skb_assert_len() warnings during execution of __dev_queue_xmit() function. The specific condition occurs when PF_IEEE802154 socket implementations attempt to process zero-length packet requests that should be valid within their protocol context.
The technical root cause stems from the improper handling of zero-sized packets within the kernel's network packet processing chain. When a raw_sendmsg() operation is performed on an IEEE802154 socket with zero-length data, the system attempts to pass this empty packet through the __dev_queue_xmit() function which is designed to validate packet lengths and typically rejects zero-sized packets. However, IEEE802154 protocol specifications legitimately support zero-length packets in certain operational contexts, making the kernel's strict validation inappropriate for this specific socket type. This creates a scenario where the kernel's assertion mechanism fails because it doesn't account for protocol-specific valid edge cases.
The operational impact of this vulnerability extends beyond simple kernel warnings to potentially disrupt network operations and system stability. When zero-sized packets are sent through IEEE802154 sockets, the kernel's assertion failure can cause unexpected behavior in the network stack, potentially leading to denial of service conditions or system instability. The vulnerability demonstrates a gap in kernel protocol handling where generic validation mechanisms don't properly account for the specific requirements of different network protocols. This issue particularly affects embedded systems and wireless sensor networks that rely on IEEE802154 for low-power communication, where zero-length packets may be legitimate for protocol control operations.
Security implications of this vulnerability align with CWE-129, which addresses improper validation of array indices and other inputs. The issue also relates to ATT&CK technique T1059.005, which covers the use of system services and commands for privilege escalation or system manipulation. The vulnerability demonstrates how kernel-level protocol handling can create unexpected attack surfaces when validation logic doesn't properly consider protocol-specific requirements. The suggested mitigation involves modifying the kernel code to check for zero-length packets before invoking __dev_queue_xmit() for IEEE802154 sockets, effectively preventing the assertion failure while maintaining proper protocol compliance. Additionally, the vulnerability report suggests that a previous commit may need to be reverted to properly handle the case where zero-length packets were previously considered acceptable for this protocol family. This represents a broader class of issues where kernel subsystems need to properly distinguish between generic validation requirements and protocol-specific valid edge cases.
The vulnerability highlights the complexity of maintaining kernel-level protocol compatibility while enforcing security validation mechanisms. The IEEE802154 protocol requires specific handling that differs from other network protocols, and the kernel's generic packet validation logic fails to properly accommodate these specialized requirements. This issue demonstrates the importance of protocol-specific handling in kernel networking code and the potential for seemingly minor validation logic to create significant operational problems. The fix addresses the immediate problem by preventing the problematic code path while maintaining the security benefits of proper packet validation for other protocol types. This vulnerability underscores the need for comprehensive testing of kernel protocol implementations across different network families and the importance of considering edge cases that may be valid within specific protocol contexts but invalid in generic validation frameworks.