{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50816","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:07.130Z","datePublished":"2025-12-30T12:08:32.215Z","dateUpdated":"2026-05-11T19:25:40.382Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:25:40.382Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ensure sane device mtu in tunnels\n\nAnother syzbot report [1] with no reproducer hints\nat a bug in ip6_gre tunnel (dev:ip6gretap0)\n\nSince ipv6 mcast code makes sure to read dev->mtu once\nand applies a sanity check on it (see commit b9b312a7a451\n\"ipv6: mcast: better catch silly mtu values\"), a remaining\npossibility is that a layer is able to set dev->mtu to\nan underflowed value (high order bit set).\n\nThis could happen indeed in ip6gre_tnl_link_config_route(),\nip6_tnl_link_config() and ipip6_tunnel_bind_dev()\n\nMake sure to sanitize mtu value in a local variable before\nit is written once on dev->mtu, as lockless readers could\ncatch wrong temporary value.\n\n[1]\nskbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:120\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022\nWorkqueue: mld mld_ifc_work\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nlr : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nsp : ffff800020dd3b60\nx29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800\nx26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200\nx23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38\nx20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9\nx17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80\nx14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80\nx11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00\nx8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000\nx5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\nskb_panic+0x4c/0x50 net/core/skbuff.c:116\nskb_over_panic net/core/skbuff.c:125 [inline]\nskb_put+0xd4/0xdc net/core/skbuff.c:2049\nip6_mc_hdr net/ipv6/mcast.c:1714 [inline]\nmld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765\nadd_grhead net/ipv6/mcast.c:1851 [inline]\nadd_grec+0xa20/0xae0 net/ipv6/mcast.c:1989\nmld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115\nmld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653\nprocess_one_work+0x2d8/0x504 kernel/workqueue.c:2289\nworker_thread+0x340/0x610 kernel/workqueue.c:2436\nkthread+0x12c/0x158 kernel/kthread.c:376\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nCode: 91011400 aa0803e1 a90027ea 94373093 (d4210000)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_gre.c","net/ipv6/ip6_tunnel.c","net/ipv6/sit.c"],"versions":[{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"2bab6fa449d16af36d9c9518865f783a15f446c7","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"78297d513157a31fd629626fe4cbb85a7dcbb94a","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"af51fc23a03f02b0c6df09ab0d60f23794436052","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"44affe7ede596f078c4f2f41e0d160266ccda818","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"ad3f1d9bf162c487d23df684852597961b745cae","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"ccd94bd4939690e24d13e23814bce7ed853a09f3","status":"affected","versionType":"git"},{"version":"c12b395a46646bab69089ce7016ac78177f6001f","lessThan":"d89d7ff01235f218dad37de84457717f699dee79","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv6/ip6_gre.c","net/ipv6/ip6_tunnel.c","net/ipv6/sit.c"],"versions":[{"version":"3.7","status":"affected"},{"version":"0","lessThan":"3.7","status":"unaffected","versionType":"semver"},{"version":"4.14.305","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.272","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.231","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.153","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.77","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.7","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"4.14.305"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"4.19.272"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"5.4.231"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"5.10.153"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"5.15.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"6.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7"},{"url":"https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a"},{"url":"https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052"},{"url":"https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818"},{"url":"https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae"},{"url":"https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3"},{"url":"https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79"}],"title":"ipv6: ensure sane device mtu in tunnels","x_generator":{"engine":"bippy-1.2.0"}}}}