{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50241","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-15T13:58:00.971Z","datePublished":"2025-09-15T14:01:47.539Z","dateUpdated":"2026-05-11T19:15:30.132Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:15:30.132Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix use-after-free on source server when doing inter-server copy\n\nUse-after-free occurred when the laundromat tried to free expired\ncpntf_state entry on the s2s_cp_stateids list after inter-server\ncopy completed. The sc_cp_list that the expired copy state was\ninserted on was already freed.\n\nWhen COPY completes, the Linux client normally sends LOCKU(lock_state x),\nFREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.\nThe nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state\nfrom the s2s_cp_stateids list before freeing the lock state's stid.\n\nHowever, sometimes the CLOSE was sent before the FREE_STATEID request.\nWhen this happens, the nfsd4_close_open_stateid call from nfsd4_close\nfrees all lock states on its st_locks list without cleaning up the copy\nstate on the sc_cp_list list. When the time the FREE_STATEID arrives the\nserver returns BAD_STATEID since the lock state was freed. This causes\nthe use-after-free error to occur when the laundromat tries to free\nthe expired cpntf_state.\n\nThis patch adds a call to nfs4_free_cpntf_statelist in\nnfsd4_close_open_stateid to clean up the copy state before calling\nfree_ol_stateid_reaplist to free the lock state's stid on the reaplist."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"624322f1adc58acd0b69f77a6ddc764207e97241","lessThan":"bbacfcde5fff25ac22597e8373a065c647da6738","status":"affected","versionType":"git"},{"version":"624322f1adc58acd0b69f77a6ddc764207e97241","lessThan":"83b94969751a691347606dbe6b1865efcfa5a643","status":"affected","versionType":"git"},{"version":"624322f1adc58acd0b69f77a6ddc764207e97241","lessThan":"6ea71246b7a02af675d733e72d14bd0d591d5f4a","status":"affected","versionType":"git"},{"version":"624322f1adc58acd0b69f77a6ddc764207e97241","lessThan":"35aa0fb8c3033a3d78603356e96fc18c5b9cceb2","status":"affected","versionType":"git"},{"version":"624322f1adc58acd0b69f77a6ddc764207e97241","lessThan":"019805fea91599b22dfa62ffb29c022f35abeb06","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"5.6","status":"affected"},{"version":"0","lessThan":"5.6","status":"unaffected","versionType":"semver"},{"version":"5.10.150","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.75","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.17","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0.3","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.10.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.15.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.19.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bbacfcde5fff25ac22597e8373a065c647da6738"},{"url":"https://git.kernel.org/stable/c/83b94969751a691347606dbe6b1865efcfa5a643"},{"url":"https://git.kernel.org/stable/c/6ea71246b7a02af675d733e72d14bd0d591d5f4a"},{"url":"https://git.kernel.org/stable/c/35aa0fb8c3033a3d78603356e96fc18c5b9cceb2"},{"url":"https://git.kernel.org/stable/c/019805fea91599b22dfa62ffb29c022f35abeb06"}],"title":"NFSD: fix use-after-free on source server when doing inter-server copy","x_generator":{"engine":"bippy-1.2.0"}}}}