{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50341","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-16T16:03:27.881Z","datePublished":"2025-09-16T16:11:20.838Z","dateUpdated":"2026-05-11T19:17:33.655Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:17:33.655Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix oops during encryption\n\nWhen running xfstests against Azure the following oops occurred on an\narm64 system\n\n  Unable to handle kernel write to read-only memory at virtual address\n  ffff0001221cf000\n  Mem abort info:\n    ESR = 0x9600004f\n    EC = 0x25: DABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n    FSC = 0x0f: level 3 permission fault\n  Data abort info:\n    ISV = 0, ISS = 0x0000004f\n    CM = 0, WnR = 1\n  swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000\n  [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,\n  pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787\n  Internal error: Oops: 9600004f [#1] PREEMPT SMP\n  ...\n  pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n  pc : __memcpy+0x40/0x230\n  lr : scatterwalk_copychunks+0xe0/0x200\n  sp : ffff800014e92de0\n  x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008\n  x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008\n  x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000\n  x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014\n  x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058\n  x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590\n  x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580\n  x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005\n  x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001\n  x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000\n  Call trace:\n   __memcpy+0x40/0x230\n   scatterwalk_map_and_copy+0x98/0x100\n   crypto_ccm_encrypt+0x150/0x180\n   crypto_aead_encrypt+0x2c/0x40\n   crypt_message+0x750/0x880\n   smb3_init_transform_rq+0x298/0x340\n   smb_send_rqst.part.11+0xd8/0x180\n   smb_send_rqst+0x3c/0x100\n   compound_send_recv+0x534/0xbc0\n   smb2_query_info_compound+0x32c/0x440\n   smb2_set_ea+0x438/0x4c0\n   cifs_xattr_set+0x5d4/0x7c0\n\nThis is because in scatterwalk_copychunks(), we attempted to write to\na buffer (@sign) that was allocated in the stack (vmalloc area) by\ncrypt_message() and thus accessing its remaining 8 (x2) bytes ended up\ncrossing a page boundary.\n\nTo simply fix it, we could just pass @sign kmalloc'd from\ncrypt_message() and then we're done.  Luckily, we don't seem to pass\nany other vmalloc'd buffers in smb_rqst::rq_iov...\n\nInstead, let's map the correct pages and offsets from vmalloc buffers\nas well in cifs_sg_set_buf() and then avoiding such oopses."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/cifs/cifsglob.h","fs/cifs/cifsproto.h","fs/cifs/misc.c","fs/cifs/smb2ops.c"],"versions":[{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"e8e2861cc3258dbe407d01ea8c59bb5a53132301","status":"affected","versionType":"git"},{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"fe6ea044c4f05706cb71040055b1c70c6c8275e0","status":"affected","versionType":"git"},{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"bf0543b93740916ee91956f9a63da6fc0d79daaa","status":"affected","versionType":"git"},{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9","status":"affected","versionType":"git"},{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"e8d16a54842d609fd4a3ed2d81d4333d6329aa94","status":"affected","versionType":"git"},{"version":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398","lessThan":"f7f291e14dde32a07b1f0aa06921d28f875a7b54","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/cifs/cifsglob.h","fs/cifs/cifsproto.h","fs/cifs/misc.c","fs/cifs/smb2ops.c"],"versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.87","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.1","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.15.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.1.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e8e2861cc3258dbe407d01ea8c59bb5a53132301"},{"url":"https://git.kernel.org/stable/c/fe6ea044c4f05706cb71040055b1c70c6c8275e0"},{"url":"https://git.kernel.org/stable/c/bf0543b93740916ee91956f9a63da6fc0d79daaa"},{"url":"https://git.kernel.org/stable/c/a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9"},{"url":"https://git.kernel.org/stable/c/e8d16a54842d609fd4a3ed2d81d4333d6329aa94"},{"url":"https://git.kernel.org/stable/c/f7f291e14dde32a07b1f0aa06921d28f875a7b54"}],"title":"cifs: fix oops during encryption","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-50341","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T18:19:48.496611Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-noinfo Not enough information"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T18:22:57.726Z"}}]}}