{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50253","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-15T13:58:00.973Z","datePublished":"2025-09-15T14:02:34.849Z","dateUpdated":"2026-05-11T19:15:44.305Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:15:44.305Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb->len != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb->len == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn't really reproduce outside of syzkaller\nenvironment, so I'm taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb->len == 0.\nDoesn't seem like we can do anything better than having\nan explicit check after __skb_pull?"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/filter.c"],"versions":[{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"ffbccc5fb0a67424e12f7f8da210c04c8063f797","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"e6a63203e5a90a39392fa1a7ffc60f5e9baf642a","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"772431f30ca040cfbf31b791d468bac6a9ca74d3","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"6d935a02658be82585ecb39aab339faa84496650","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"1b65704b8c08ae92db29f720d3b298031131da53","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"f186303845a01cc7e991f9dc51d7e5a3cdc7aedb","status":"affected","versionType":"git"},{"version":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d","lessThan":"07ec7b502800ba9f7b8b15cb01dd6556bb41aaca","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/filter.c"],"versions":[{"version":"4.9","status":"affected"},{"version":"0","lessThan":"4.9","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.86","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.2","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.15.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.1.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797"},{"url":"https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"},{"url":"https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3"},{"url":"https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650"},{"url":"https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"},{"url":"https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53"},{"url":"https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"},{"url":"https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"}],"title":"bpf: make sure skb->len != 0 when redirecting to a tunneling device","x_generator":{"engine":"bippy-1.2.0"}}}}