{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50405","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-17T14:53:07.001Z","datePublished":"2025-09-18T16:03:50.362Z","dateUpdated":"2026-05-11T19:18:51.602Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:18:51.602Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tunnel: wait until all sk_user_data reader finish before releasing the sock\n\nThere is a race condition in vxlan that when deleting a vxlan device\nduring receiving packets, there is a possibility that the sock is\nreleased after getting vxlan_sock vs from sk_user_data. Then in\nlater vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got\nNULL pointer dereference. e.g.\n\n   #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757\n   #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d\n   #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48\n   #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b\n   #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb\n   #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542\n   #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62\n      [exception RIP: vxlan_ecn_decapsulate+0x3b]\n      RIP: ffffffffc1014e7b  RSP: ffffa25ec6978cb0  RFLAGS: 00010246\n      RAX: 0000000000000008  RBX: ffff8aa000888000  RCX: 0000000000000000\n      RDX: 000000000000000e  RSI: ffff8a9fc7ab803e  RDI: ffff8a9fd1168700\n      RBP: ffff8a9fc7ab803e   R8: 0000000000700000   R9: 00000000000010ae\n      R10: ffff8a9fcb748980  R11: 0000000000000000  R12: ffff8a9fd1168700\n      R13: ffff8aa000888000  R14: 00000000002a0000  R15: 00000000000010ae\n      ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n   #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]\n   #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507\n   #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45\n  #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807\n  #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951\n  #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde\n  #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b\n  #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139\n  #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a\n  #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3\n  #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca\n  #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3\n\nReproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh\n\nFix this by waiting for all sk_user_data reader to finish before\nreleasing the sock."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_tunnel_core.c"],"versions":[{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"e8316584b0a6c61c9c407631040c22712b26e38c","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"84e566d157cc22ad2da8bdd970495855fbf13d92","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"be34e79e0ae6adbf6e7e75ddaee9ad84795ab933","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"303000c793f705d07b551eb7c1c27001c5b33c8d","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"91f09a776ae335ca836ed864b8f2a9461882a280","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"9a6544343bba7da929d6d4a2dc44ec0f15970081","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"b38aa7465411795e9e744b8d94633910497fec2a","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"588d0b8462f5ffed3e677e65639825b2678117ab","status":"affected","versionType":"git"},{"version":"6a93cc9052748c6355ec9d5b6c38b77f85f1cb0d","lessThan":"3cf7203ca620682165706f70a1b12b5194607dce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/udp_tunnel_core.c"],"versions":[{"version":"3.18","status":"affected"},{"version":"0","lessThan":"3.18","status":"unaffected","versionType":"semver"},{"version":"4.9.337","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.86","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.2","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.15.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.1.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e8316584b0a6c61c9c407631040c22712b26e38c"},{"url":"https://git.kernel.org/stable/c/84e566d157cc22ad2da8bdd970495855fbf13d92"},{"url":"https://git.kernel.org/stable/c/be34e79e0ae6adbf6e7e75ddaee9ad84795ab933"},{"url":"https://git.kernel.org/stable/c/303000c793f705d07b551eb7c1c27001c5b33c8d"},{"url":"https://git.kernel.org/stable/c/91f09a776ae335ca836ed864b8f2a9461882a280"},{"url":"https://git.kernel.org/stable/c/9a6544343bba7da929d6d4a2dc44ec0f15970081"},{"url":"https://git.kernel.org/stable/c/b38aa7465411795e9e744b8d94633910497fec2a"},{"url":"https://git.kernel.org/stable/c/588d0b8462f5ffed3e677e65639825b2678117ab"},{"url":"https://git.kernel.org/stable/c/3cf7203ca620682165706f70a1b12b5194607dce"}],"title":"net/tunnel: wait until all sk_user_data reader finish before releasing the sock","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-50405","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T19:07:29.951048Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T19:13:08.244Z"}}]}}