{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50780","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T13:02:21.548Z","datePublished":"2025-12-24T13:06:08.552Z","dateUpdated":"2026-05-11T19:25:24.107Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:25:24.107Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed\n\nWhen the ops_init() interface is invoked to initialize the net, but\nops->init() fails, data is released. However, the ptr pointer in\nnet->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked\nto release the net, invalid address access occurs.\n\nThe process is as follows:\nsetup_net()\n\tops_init()\n\t\tdata = kzalloc(...)   ---> alloc \"data\"\n\t\tnet_assign_generic()  ---> assign \"date\" to ptr in net->gen\n\t\t...\n\t\tops->init()           ---> failed\n\t\t...\n\t\tkfree(data);          ---> ptr in net->gen is invalid\n\t...\n\tops_exit_list()\n\t\t...\n\t\tnfqnl_nf_hook_drop()\n\t\t\t*q = nfnl_queue_pernet(net) ---> q is invalid\n\nThe following is the Call Trace information:\nBUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280\nRead of size 8 at addr ffff88810396b240 by task ip/15855\nCall Trace:\n<TASK>\ndump_stack_lvl+0x8e/0xd1\nprint_report+0x155/0x454\nkasan_report+0xba/0x1f0\nnfqnl_nf_hook_drop+0x264/0x280\nnf_queue_nf_hook_drop+0x8b/0x1b0\n__nf_unregister_net_hook+0x1ae/0x5a0\nnf_unregister_net_hooks+0xde/0x130\nops_exit_list+0xb0/0x170\nsetup_net+0x7ac/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n</TASK>\n\nAllocated by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0xa1/0xb0\n__kmalloc+0x49/0xb0\nops_init+0xe7/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x155/0x1b0\nslab_free_freelist_hook+0x11b/0x220\n__kmem_cache_free+0xa4/0x360\nops_init+0xb9/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/net_namespace.c"],"versions":[{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"5a2ea549be94924364f6911227d99be86e8cf34a","status":"affected","versionType":"git"},{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"97ad240fd9aa9214497d14af2b91608e20856cac","status":"affected","versionType":"git"},{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"c3edc6e808209aa705185f732e682a370981ced1","status":"affected","versionType":"git"},{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"a1e18acb0246bfb001b08b8b1b830b5ec92a0f13","status":"affected","versionType":"git"},{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"4a4df5e78712de39d6f90d6a64b5eb48dca03bd5","status":"affected","versionType":"git"},{"version":"f875bae065334907796da12523f9df85c89f5712","lessThan":"d266935ac43d57586e311a087510fe6a084af742","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/net_namespace.c"],"versions":[{"version":"2.6.33","status":"affected"},{"version":"0","lessThan":"2.6.33","status":"unaffected","versionType":"semver"},{"version":"4.19.264","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.223","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.153","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.77","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.7","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"4.19.264"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.4.223"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.10.153"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.15.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a"},{"url":"https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac"},{"url":"https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1"},{"url":"https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13"},{"url":"https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5"},{"url":"https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742"}],"title":"net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed","x_generator":{"engine":"bippy-1.2.0"}}}}