CVE-2022-50816 (GCVE-0-2022-50816)
Vulnerability from cvelistv5
Published
2025-12-30 12:08
Modified
2025-12-30 12:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: ensure sane device mtu in tunnels
Another syzbot report [1] with no reproducer hints
at a bug in ip6_gre tunnel (dev:ip6gretap0)
Since ipv6 mcast code makes sure to read dev->mtu once
and applies a sanity check on it (see commit b9b312a7a451
"ipv6: mcast: better catch silly mtu values"), a remaining
possibility is that a layer is able to set dev->mtu to
an underflowed value (high order bit set).
This could happen indeed in ip6gre_tnl_link_config_route(),
ip6_tnl_link_config() and ipip6_tunnel_bind_dev()
Make sure to sanitize mtu value in a local variable before
it is written once on dev->mtu, as lockless readers could
catch wrong temporary value.
[1]
skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:120
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Workqueue: mld mld_ifc_work
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116
lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116
sp : ffff800020dd3b60
x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800
x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200
x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38
x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9
x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80
x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00
x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089
Call trace:
skb_panic+0x4c/0x50 net/core/skbuff.c:116
skb_over_panic net/core/skbuff.c:125 [inline]
skb_put+0xd4/0xdc net/core/skbuff.c:2049
ip6_mc_hdr net/ipv6/mcast.c:1714 [inline]
mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765
add_grhead net/ipv6/mcast.c:1851 [inline]
add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989
mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115
mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653
process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
worker_thread+0x340/0x610 kernel/workqueue.c:2436
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000)
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f Version: c12b395a46646bab69089ce7016ac78177f6001f |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c",
"net/ipv6/ip6_tunnel.c",
"net/ipv6/sit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bab6fa449d16af36d9c9518865f783a15f446c7",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "78297d513157a31fd629626fe4cbb85a7dcbb94a",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "af51fc23a03f02b0c6df09ab0d60f23794436052",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "44affe7ede596f078c4f2f41e0d160266ccda818",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "ad3f1d9bf162c487d23df684852597961b745cae",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "ccd94bd4939690e24d13e23814bce7ed853a09f3",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "d89d7ff01235f218dad37de84457717f699dee79",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c",
"net/ipv6/ip6_tunnel.c",
"net/ipv6/sit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ensure sane device mtu in tunnels\n\nAnother syzbot report [1] with no reproducer hints\nat a bug in ip6_gre tunnel (dev:ip6gretap0)\n\nSince ipv6 mcast code makes sure to read dev-\u003emtu once\nand applies a sanity check on it (see commit b9b312a7a451\n\"ipv6: mcast: better catch silly mtu values\"), a remaining\npossibility is that a layer is able to set dev-\u003emtu to\nan underflowed value (high order bit set).\n\nThis could happen indeed in ip6gre_tnl_link_config_route(),\nip6_tnl_link_config() and ipip6_tunnel_bind_dev()\n\nMake sure to sanitize mtu value in a local variable before\nit is written once on dev-\u003emtu, as lockless readers could\ncatch wrong temporary value.\n\n[1]\nskbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:120\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022\nWorkqueue: mld mld_ifc_work\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nlr : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nsp : ffff800020dd3b60\nx29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800\nx26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200\nx23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38\nx20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9\nx17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80\nx14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80\nx11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00\nx8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000\nx5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\nskb_panic+0x4c/0x50 net/core/skbuff.c:116\nskb_over_panic net/core/skbuff.c:125 [inline]\nskb_put+0xd4/0xdc net/core/skbuff.c:2049\nip6_mc_hdr net/ipv6/mcast.c:1714 [inline]\nmld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765\nadd_grhead net/ipv6/mcast.c:1851 [inline]\nadd_grec+0xa20/0xae0 net/ipv6/mcast.c:1989\nmld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115\nmld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653\nprocess_one_work+0x2d8/0x504 kernel/workqueue.c:2289\nworker_thread+0x340/0x610 kernel/workqueue.c:2436\nkthread+0x12c/0x158 kernel/kthread.c:376\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nCode: 91011400 aa0803e1 a90027ea 94373093 (d4210000)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:32.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7"
},
{
"url": "https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a"
},
{
"url": "https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052"
},
{
"url": "https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818"
},
{
"url": "https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae"
},
{
"url": "https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3"
},
{
"url": "https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79"
}
],
"title": "ipv6: ensure sane device mtu in tunnels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50816",
"datePublished": "2025-12-30T12:08:32.215Z",
"dateReserved": "2025-12-30T12:06:07.130Z",
"dateUpdated": "2025-12-30T12:08:32.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50816\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:15:55.963\",\"lastModified\":\"2025-12-31T20:43:05.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: ensure sane device mtu in tunnels\\n\\nAnother syzbot report [1] with no reproducer hints\\nat a bug in ip6_gre tunnel (dev:ip6gretap0)\\n\\nSince ipv6 mcast code makes sure to read dev-\u003emtu once\\nand applies a sanity check on it (see commit b9b312a7a451\\n\\\"ipv6: mcast: better catch silly mtu values\\\"), a remaining\\npossibility is that a layer is able to set dev-\u003emtu to\\nan underflowed value (high order bit set).\\n\\nThis could happen indeed in ip6gre_tnl_link_config_route(),\\nip6_tnl_link_config() and ipip6_tunnel_bind_dev()\\n\\nMake sure to sanitize mtu value in a local variable before\\nit is written once on dev-\u003emtu, as lockless readers could\\ncatch wrong temporary value.\\n\\n[1]\\nskbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0\\n------------[ cut here ]------------\\nkernel BUG at net/core/skbuff.c:120\\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022\\nWorkqueue: mld mld_ifc_work\\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : skb_panic+0x4c/0x50 net/core/skbuff.c:116\\nlr : skb_panic+0x4c/0x50 net/core/skbuff.c:116\\nsp : ffff800020dd3b60\\nx29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800\\nx26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200\\nx23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38\\nx20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9\\nx17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80\\nx14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80\\nx11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00\\nx8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000\\nx5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089\\nCall trace:\\nskb_panic+0x4c/0x50 net/core/skbuff.c:116\\nskb_over_panic net/core/skbuff.c:125 [inline]\\nskb_put+0xd4/0xdc net/core/skbuff.c:2049\\nip6_mc_hdr net/ipv6/mcast.c:1714 [inline]\\nmld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765\\nadd_grhead net/ipv6/mcast.c:1851 [inline]\\nadd_grec+0xa20/0xae0 net/ipv6/mcast.c:1989\\nmld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115\\nmld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653\\nprocess_one_work+0x2d8/0x504 kernel/workqueue.c:2289\\nworker_thread+0x340/0x610 kernel/workqueue.c:2436\\nkthread+0x12c/0x158 kernel/kthread.c:376\\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\\nCode: 91011400 aa0803e1 a90027ea 94373093 (d4210000)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…