CVE-2022-50867 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage
adreno_show_object() is a trap! It will re-allocate the pointer it is passed on first call, when the data is ascii85 encoded, using kvmalloc/ kvfree(). Which means the data *passed* to it must be kvmalloc'd, ie. we cannot use the state_kcalloc() helper.
This partially reverts commit ec8f1813bf8d ("drm/msm/a6xx: Replace kcalloc() with kvzalloc()"), but adds the missing kvfree() to fix the memory leak that was present previously. And adds a warning comment.
Patchwork: https://patchwork.freedesktop.org/patch/507014/
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability CVE-2022-50867 represents a critical memory management flaw within the Linux kernel's graphics subsystem, specifically affecting the adreno GPU driver component. This issue manifests in the drm/msm/a6xx driver module which handles Qualcomm Adreno GPU architectures. The flaw stems from improper memory allocation and deallocation patterns that create both memory leaks and potential use-after-free conditions. The vulnerability was introduced through a previous commit that replaced kcalloc() with kvzalloc() without properly accounting for the different memory management requirements of the affected code paths. The adreno_show_object() function serves as the primary attack surface where the problematic behavior occurs, making this a targeted memory corruption vulnerability within the graphics driver stack.
The technical root cause of this vulnerability lies in the incorrect usage of kernel memory allocation functions within the GPU driver's object display functionality. When adreno_show_object() processes data that requires ASCII85 encoding, it attempts to reallocate the passed pointer using kvmalloc() and kvfree() functions. However, the calling code had been modified to use state_kcalloc() which allocates memory differently than kvmalloc(). This mismatch creates a scenario where the function receives memory allocated with one method but attempts to free it with another, leading to memory corruption. The fix requires a partial revert of the problematic commit while adding proper memory cleanup through kvfree() and including warning comments to prevent future regressions. This type of memory management error falls under CWE-415: Double Free and CWE-416: Use After Free, both of which represent serious memory safety vulnerabilities. The ATT&CK framework would categorize this under T1059.001: Command and Scripting Interpreter - PowerShell and T1547.001: Registry Run Keys / Startup Folder as it affects system-level components that could be exploited to gain elevated privileges.
The operational impact of this vulnerability extends beyond simple memory leaks, as it represents a potential path for privilege escalation and system instability within graphics-intensive applications. When exploited, this flaw could allow malicious actors to corrupt kernel memory, potentially leading to arbitrary code execution with kernel privileges. The vulnerability affects systems running Linux kernels with the affected drm/msm/a6xx driver, particularly those utilizing Qualcomm Adreno GPUs in mobile devices, embedded systems, or automotive applications. The memory corruption could manifest as system crashes, data corruption, or more severe security implications depending on the exploitation vector. Organizations using Linux-based systems with Qualcomm GPU hardware should prioritize patching this vulnerability as it could be leveraged in sophisticated attacks targeting embedded systems or mobile platforms. The fix requires careful attention to memory management patterns within kernel modules and proper coordination with upstream kernel maintainers to ensure consistent behavior across different kernel versions and hardware configurations.