{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49916","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.251Z","datePublished":"2025-05-01T14:10:56.851Z","dateUpdated":"2026-05-11T19:09:11.591Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:09:11.591Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrose: Fix NULL pointer dereference in rose_send_frame()\n\nThe syzkaller reported an issue:\n\nKASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]\nCPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: rcu_gp srcu_invoke_callbacks\nRIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101\nCall Trace:\n <IRQ>\n rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255\n rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009\n rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111\n call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790\n __run_timers kernel/time/timer.c:1768 [inline]\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803\n __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571\n [...]\n </IRQ>\n\nIt triggers NULL pointer dereference when 'neigh->dev->dev_addr' is\ncalled in the rose_send_frame(). It's the first occurrence of the\n`neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and\nthe 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.\n\nIt had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf\n(\"rose: Fix Null pointer dereference in rose_send_frame()\") ever.\nBut it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8\n(\"rose: check NULL rose_loopback_neigh->loopback\") again.\n\nWe fix it by add NULL check in rose_transmit_clear_request(). When\nthe 'dev' in 'neigh' is NULL, we don't reply the request and just\nclear it.\n\nsyzkaller don't provide repro, and I provide a syz repro like:\nr0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)\nioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\\x00', 0x201})\nr1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)\nbind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)\nconnect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rose/rose_link.c"],"versions":[{"version":"76885373129b13df35ecc9b4ee86ea5840f12133","lessThan":"01b9c68c121847d05a4ccef68244dadf82bfa331","status":"affected","versionType":"git"},{"version":"b8f9de195d6303f52bae16c7911f35ac14ba7e3d","lessThan":"bbc03d74e641e824754443b908454ca9e203773e","status":"affected","versionType":"git"},{"version":"0aae33feb7a56b28318f92c960a3d08d9c305984","lessThan":"5b46adfbee1e429f33b10a88d6c00fa88f3d6c77","status":"affected","versionType":"git"},{"version":"6e4b20d548fc97ecbdca15c8d96302ee5e3e6313","lessThan":"b13be5e852b03f376058027e462fad4230240891","status":"affected","versionType":"git"},{"version":"de3deadd11987070788b48825bec4647458b988d","lessThan":"f06186e5271b980bac03f5c97276ed0146ddc9b0","status":"affected","versionType":"git"},{"version":"9cf85759e104d7e9c3fd8920a554195b715d6797","lessThan":"3e2129c67daca21043a26575108f6286c85e71f6","status":"affected","versionType":"git"},{"version":"3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8","lessThan":"a601e5eded33bb88b8a42743db8fef3ad41dd97e","status":"affected","versionType":"git"},{"version":"3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8","lessThan":"e97c089d7a49f67027395ddf70bf327eeac2611e","status":"affected","versionType":"git"},{"version":"9197ca40fd9de265caedba70d0cb5814c4e45952","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rose/rose_link.c"],"versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","status":"unaffected","versionType":"semver"},{"version":"4.9.333","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.299","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.265","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.224","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.154","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.78","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.8","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.327","versionEndExcluding":"4.9.333"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.292","versionEndExcluding":"4.14.299"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.257","versionEndExcluding":"4.19.265"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.212","versionEndExcluding":"5.4.224"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.140","versionEndExcluding":"5.10.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.64","versionEndExcluding":"5.15.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.0.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01b9c68c121847d05a4ccef68244dadf82bfa331"},{"url":"https://git.kernel.org/stable/c/bbc03d74e641e824754443b908454ca9e203773e"},{"url":"https://git.kernel.org/stable/c/5b46adfbee1e429f33b10a88d6c00fa88f3d6c77"},{"url":"https://git.kernel.org/stable/c/b13be5e852b03f376058027e462fad4230240891"},{"url":"https://git.kernel.org/stable/c/f06186e5271b980bac03f5c97276ed0146ddc9b0"},{"url":"https://git.kernel.org/stable/c/3e2129c67daca21043a26575108f6286c85e71f6"},{"url":"https://git.kernel.org/stable/c/a601e5eded33bb88b8a42743db8fef3ad41dd97e"},{"url":"https://git.kernel.org/stable/c/e97c089d7a49f67027395ddf70bf327eeac2611e"}],"title":"rose: Fix NULL pointer dereference in rose_send_frame()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-476","lang":"en","description":"CWE-476 NULL Pointer Dereference"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T16:00:00.455092Z","id":"CVE-2022-49916","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T16:00:19.393Z"}}]}}