{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50381","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-17T14:53:06.996Z","datePublished":"2025-09-18T13:33:03.439Z","dateUpdated":"2026-05-11T19:18:26.291Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:18:26.291Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix a crash in mempool_free\n\nThere's a crash in mempool_free when running the lvm test\nshell/lvchange-rebuild-raid.sh.\n\nThe reason for the crash is this:\n* super_written calls atomic_dec_and_test(&mddev->pending_writes) and\n  wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)\n  and bio_put(bio).\n* so, the process that waited on sb_wait and that is woken up is racing\n  with bio_put(bio).\n* if the process wins the race, it calls bioset_exit before bio_put(bio)\n  is executed.\n* bio_put(bio) attempts to free a bio into a destroyed bio set - causing\n  a crash in mempool_free.\n\nWe fix this bug by moving bio_put before atomic_dec_and_test.\n\nWe also move rdev_dec_pending before atomic_dec_and_test as suggested by\nNeil Brown.\n\nThe function md_end_flush has a similar bug - we must call bio_put before\nwe decrement the number of in-progress bios.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 11557f0067 P4D 11557f0067 PUD 0\n Oops: 0002 [#1] PREEMPT SMP\n CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Workqueue: kdelayd flush_expired_bios [dm_delay]\n RIP: 0010:mempool_free+0x47/0x80\n Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00\n RSP: 0018:ffff88910036bda8 EFLAGS: 00010093\n RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8\n RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900\n R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000\n R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05\n FS:  0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0\n Call Trace:\n  <TASK>\n  clone_endio+0xf4/0x1c0 [dm_mod]\n  clone_endio+0xf4/0x1c0 [dm_mod]\n  __submit_bio+0x76/0x120\n  submit_bio_noacct_nocheck+0xb6/0x2a0\n  flush_expired_bios+0x28/0x2f [dm_delay]\n  process_one_work+0x1b4/0x300\n  worker_thread+0x45/0x3e0\n  ? rescuer_thread+0x380/0x380\n  kthread+0xc2/0x100\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x1f/0x30\n  </TASK>\n Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/md.c"],"versions":[{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"732cd66ec19a17f2b9183d7d5b7bdb9c39b0776e","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"cf06b162f5b6337b688072a1a47941280b8f7110","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"b5be563b4356b3089b3245d024cae3f248ba7090","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"384ef33d37cefb2ac539d44597d03f06c9b8975c","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"ae7793027766491c5f8635b12d15a5940d3b8698","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"91bd504128a51776472445070e11a3b0f9348c90","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"842f222fc42a9239831e15b1fd49a51c546902cb","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"97ce99984be12b9acb49ddce0f5d8ebb037adbb6","status":"affected","versionType":"git"},{"version":"f8b58edf3acf0dcc186b8330939000ecf709368a","lessThan":"341097ee53573e06ab9fc675d96a052385b851fa","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/md.c"],"versions":[{"version":"2.6.13","status":"affected"},{"version":"0","lessThan":"2.6.13","status":"unaffected","versionType":"semver"},{"version":"4.9.337","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.87","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.17","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.3","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.15.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.0.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.1.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/732cd66ec19a17f2b9183d7d5b7bdb9c39b0776e"},{"url":"https://git.kernel.org/stable/c/cf06b162f5b6337b688072a1a47941280b8f7110"},{"url":"https://git.kernel.org/stable/c/b5be563b4356b3089b3245d024cae3f248ba7090"},{"url":"https://git.kernel.org/stable/c/384ef33d37cefb2ac539d44597d03f06c9b8975c"},{"url":"https://git.kernel.org/stable/c/ae7793027766491c5f8635b12d15a5940d3b8698"},{"url":"https://git.kernel.org/stable/c/91bd504128a51776472445070e11a3b0f9348c90"},{"url":"https://git.kernel.org/stable/c/842f222fc42a9239831e15b1fd49a51c546902cb"},{"url":"https://git.kernel.org/stable/c/97ce99984be12b9acb49ddce0f5d8ebb037adbb6"},{"url":"https://git.kernel.org/stable/c/341097ee53573e06ab9fc675d96a052385b851fa"}],"title":"md: fix a crash in mempool_free","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-50381","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T18:47:48.002807Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T18:53:04.002Z"}}]}}