CVE-2022-50873 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove
In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses a reference of pointer as the argument of kfree, which is the wrong pointer and then may hit crash like this:
Unable to handle kernel paging request at virtual address 00ffff003363e30c Internal error: Oops: 96000004 [#1] SMP
Call trace: rb_next+0x20/0x5c ext4_readdir+0x494/0x5c4 [ext4]
iterate_dir+0x168/0x1b4 __se_sys_getdents64+0x68/0x170 __arm64_sys_getdents64+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821) SMP: stopping secondary CPUs Starting crashdump kernel...
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability CVE-2022-50873 represents a critical memory management error within the Linux kernel's virtual device passthrough subsystem, specifically affecting the vp_vdpa driver implementation. This flaw manifests in the vp_vdpa_remove function where improper pointer handling leads to kernel crashes and potential system instability. The vulnerability falls under the category of improper pointer handling as classified by CWE-466, where the code incorrectly passes the address of a pointer variable rather than the pointer itself to the kfree memory deallocation function. The issue occurs when the kernel attempts to free memory using kfree(&vp_vdpa_mgtdev->mgtdev.id_table) instead of the correct kfree(vp_vdpa_mgtdev->mgtdev.id_table) syntax, creating a scenario where the kernel attempts to free an invalid memory address.
The technical implementation flaw stems from a fundamental misunderstanding of pointer semantics within the kernel's memory management subsystem. When the vp_vdpa_remove function executes, it attempts to clean up resources associated with virtual device management by freeing memory structures. However, the incorrect use of the address-of operator (&) on the id_table member creates a double pointer scenario that results in attempting to free a memory address that does not correspond to allocated kernel memory. This error directly violates the kernel's memory management protocols and can trigger immediate system crashes as demonstrated by the oops trace showing a kernel paging request failure at virtual address 00ffff003363e30c. The crash occurs because the kernel's memory subsystem attempts to access and free memory at an invalid virtual address, causing a segmentation fault that halts system operation.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential denial of service vector that could be exploited in environments where virtual device passthrough is actively utilized. Attackers could potentially trigger this vulnerability through legitimate system operations involving virtual device management, leading to system instability and service disruption. The vulnerability affects systems running Linux kernel versions that include the vp_vdpa driver implementation, particularly those utilizing virtualization environments where VDPA (Virtual Device Passthrough API) functionality is deployed. This aligns with ATT&CK technique T1499.004 for resource exhaustion and could be leveraged as part of broader attack chains targeting virtualization infrastructure. The crash pattern observed in the kernel log indicates that the vulnerability can cause complete system termination, requiring manual intervention or system reboot to restore normal operation.
Mitigation strategies for CVE-2022-50873 require immediate kernel updates from vendors who have patched this specific memory management error. System administrators should prioritize applying the latest security patches that correct the pointer handling in the vp_vdpa_remove function, ensuring that the kfree function receives the correct pointer value rather than a reference to the pointer variable. Additionally, monitoring systems should be configured to detect unusual memory management patterns that might indicate exploitation attempts, particularly in virtualized environments where VDPA functionality is actively used. The fix implemented by kernel maintainers corrects the fundamental pointer arithmetic error by ensuring that the memory deallocation function receives the proper address of the allocated memory block rather than an invalid memory address. Organizations should also implement comprehensive testing procedures to validate that virtual device passthrough functionality operates correctly after patch application, as this vulnerability could potentially mask other related memory management issues within the kernel's virtualization subsystem.