CVE-2022-50840 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: snic: Fix possible UAF in snic_tgt_create()
Smatch reports a warning as follows:
drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list
If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF.
Remove from snic->disc.tgt_list before free().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/25/2026
The vulnerability identified as CVE-2022-50840 represents a use-after-free condition within the Linux kernel's SCSI subsystem, specifically affecting the snic driver used for software-defined networking. This flaw exists in the snic_tgt_create() function where improper memory management can lead to critical system instability. The issue manifests when the device_add() function fails during target creation, causing the target structure to be prematurely freed while leaving its list entry intact in the discovery target list. This creates a scenario where subsequent list traversals may attempt to access freed memory, resulting in unpredictable behavior and potential security implications.
The technical root cause stems from a race condition in memory deallocation and list management within the SCSI target discovery process. When device_add() fails, the snic_tgt_create() function proceeds to free the target structure without first removing the associated list entry from snic->disc.tgt_list. This violates fundamental memory management principles and creates a dangling pointer scenario that can be exploited by malicious actors. The Smatch static analysis tool identified this pattern as a warning, specifically highlighting that '&tgt->list' is not properly removed from the list structure. This vulnerability directly maps to CWE-416, which describes the use of freed memory condition, and represents a classic example of improper resource management in kernel space operations.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and denial of service attacks. An attacker who can trigger the specific failure path in snic_tgt_create() could exploit the use-after-free condition to execute arbitrary code with kernel privileges, effectively compromising the entire system. The snic driver operates at the kernel level within the SCSI subsystem, making this vulnerability particularly dangerous as it can be leveraged to bypass security boundaries. The potential for exploitation increases when considering that the SCSI subsystem handles critical storage operations, and the snic driver is used in environments where software-defined networking requires kernel-level access to storage resources.
Mitigation strategies for CVE-2022-50840 focus on implementing proper memory management protocols and defensive programming practices. The fix requires removing the target list entry from snic->disc.tgt_list before freeing the target structure when device_add() fails, ensuring that all list references are properly cleaned up regardless of execution path. This approach aligns with ATT&CK technique T1068, which involves exploiting local privilege escalation vulnerabilities, and demonstrates the importance of proper resource cleanup in kernel modules. System administrators should prioritize applying the kernel patches that address this specific vulnerability, as the fix directly modifies the problematic code path to prevent the dangling pointer condition. Additionally, monitoring for unusual device_add() failures and implementing proper error handling mechanisms can help detect potential exploitation attempts, though the primary defense remains the corrected memory management implementation that prevents the vulnerability from manifesting in the first place.