Linux Kernel up to 5.10.151/5.15.75/6.0.5 convert_context gfp_t stack-based overflow

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical was found in Linux Kernel up to 5.10.151/5.15.75/6.0.5. The impacted element is the function convert_context. Executing a manipulation of the argument gfp_t can lead to stack-based overflow.
This vulnerability is registered as CVE-2022-50699. No exploit is available.
Upgrading the affected component is advised.
Details
A vulnerability classified as critical was found in Linux Kernel up to 5.10.151/5.15.75/6.0.5. This vulnerability affects the function convert_context. The manipulation of the argument gfp_t with an unknown input leads to a stack-based overflow vulnerability. The CWE definition for the vulnerability is CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line]
The advisory is shared for download at git.kernel.org. This vulnerability was named CVE-2022-50699 since 12/24/2025. The exploitation appears to be easy. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 02/24/2026).
The vulnerability scanner Nessus provides a plugin with the ID 279932 (Linux Distros Unpatched Vulnerability : CVE-2022-50699), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 5.10.152, 5.15.76 or 6.0.6 eliminates this vulnerability. Applying the patch 2723875e9d677401d775a03a72abab7e9538c20c/3006766d247bc93a25b34e92fff2f75bda597e2e/277378631d26477451424cc73982b977961f3d8b/abe3c631447dcd1ba7af972fe6f054bee6f136fa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (279932) and CERT Bund (WID-SEC-2025-2920). VulDB is the best source for vulnerability data and more expert information about this specific topic.
Affected
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- Open Source Linux Kernel
- RESF Rocky Linux
Product
Type
Vendor
Name
Version
- 5.10.151
- 5.15.0
- 5.15.1
- 5.15.2
- 5.15.3
- 5.15.4
- 5.15.5
- 5.15.6
- 5.15.7
- 5.15.8
- 5.15.9
- 5.15.10
- 5.15.11
- 5.15.12
- 5.15.13
- 5.15.14
- 5.15.15
- 5.15.16
- 5.15.17
- 5.15.18
- 5.15.19
- 5.15.20
- 5.15.21
- 5.15.22
- 5.15.23
- 5.15.24
- 5.15.25
- 5.15.26
- 5.15.27
- 5.15.28
- 5.15.29
- 5.15.30
- 5.15.31
- 5.15.32
- 5.15.33
- 5.15.34
- 5.15.35
- 5.15.36
- 5.15.37
- 5.15.38
- 5.15.39
- 5.15.40
- 5.15.41
- 5.15.42
- 5.15.43
- 5.15.44
- 5.15.45
- 5.15.46
- 5.15.47
- 5.15.48
- 5.15.49
- 5.15.50
- 5.15.51
- 5.15.52
- 5.15.53
- 5.15.54
- 5.15.55
- 5.15.56
- 5.15.57
- 5.15.58
- 5.15.59
- 5.15.60
- 5.15.61
- 5.15.62
- 5.15.63
- 5.15.64
- 5.15.65
- 5.15.66
- 5.15.67
- 5.15.68
- 5.15.69
- 5.15.70
- 5.15.71
- 5.15.72
- 5.15.73
- 5.15.74
- 5.15.75
- 6.0.0
- 6.0.1
- 6.0.2
- 6.0.3
- 6.0.4
- 6.0.5
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.6
VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Stack-based overflowCWE: CWE-121 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 279932
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2022-50699
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 5.10.152/5.15.76/6.0.6
Patch: 2723875e9d677401d775a03a72abab7e9538c20c/3006766d247bc93a25b34e92fff2f75bda597e2e/277378631d26477451424cc73982b977961f3d8b/abe3c631447dcd1ba7af972fe6f054bee6f136fa
Timeline
12/24/2025 Advisory disclosed12/24/2025 CVE reserved
12/24/2025 VulDB entry created
02/24/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2022-50699 (🔒)
GCVE (CVE): GCVE-0-2022-50699
GCVE (VulDB): GCVE-100-337960
CERT Bund: WID-SEC-2025-2920 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 12/24/2025 14:24Updated: 02/24/2026 14:10
Changes: 12/24/2025 14:24 (59), 12/24/2025 16:11 (7), 12/26/2025 11:21 (2), 01/29/2026 20:13 (1), 02/24/2026 14:10 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.