{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49664", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:21:30.435Z", "datePublished": "2025-02-26T02:23:59.792Z", "dateUpdated": "2025-02-26T02:23:59.792Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T02:23:59.792Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: move bc link creation back to tipc_node_create\n\nShuang Li reported a NULL pointer dereference crash:\n\n [] BUG: kernel NULL pointer dereference, address: 0000000000000068\n [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]\n [] Call Trace:\n [] <IRQ>\n [] tipc_bcast_rcv+0xa2/0x190 [tipc]\n [] tipc_node_bc_rcv+0x8b/0x200 [tipc]\n [] tipc_rcv+0x3af/0x5b0 [tipc]\n [] tipc_udp_recv+0xc7/0x1e0 [tipc]\n\nIt was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it\ncreates a node in tipc_node_check_dest(), after inserting the new node\ninto hashtable in tipc_node_create(), it creates the bc link. However,\nthere is a gap between this insert and bc link creation, a bc packet\nmay come in and get the node from the hashtable then try to dereference\nits bc link, which is NULL.\n\nThis patch is to fix it by moving the bc link creation before inserting\ninto the hashtable.\n\nNote that for a preliminary node becoming \"real\", the bc link creation\nshould also be called before it's rehashed, as we don't create it for\npreliminary nodes."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tipc/node.c"], "versions": [{"version": "4cbf8ac2fe5a0846508fe02b95a5de1a90fa73f4", "lessThan": "456bc338871c4a52117dd5ef29cce3745456d248", "status": "affected", "versionType": "git"}, {"version": "4cbf8ac2fe5a0846508fe02b95a5de1a90fa73f4", "lessThan": "35fcb2ba35b4d9b592b558c3bcc6e0d90e213588", "status": "affected", "versionType": "git"}, {"version": "4cbf8ac2fe5a0846508fe02b95a5de1a90fa73f4", "lessThan": "e52910e671f58c619e33dac476b11b35e2d3ab6f", "status": "affected", "versionType": "git"}, {"version": "4cbf8ac2fe5a0846508fe02b95a5de1a90fa73f4", "lessThan": "cb8092d70a6f5f01ec1490fce4d35efed3ed996c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tipc/node.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.129", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.53", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.10", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/456bc338871c4a52117dd5ef29cce3745456d248"}, {"url": "https://git.kernel.org/stable/c/35fcb2ba35b4d9b592b558c3bcc6e0d90e213588"}, {"url": "https://git.kernel.org/stable/c/e52910e671f58c619e33dac476b11b35e2d3ab6f"}, {"url": "https://git.kernel.org/stable/c/cb8092d70a6f5f01ec1490fce4d35efed3ed996c"}], "title": "tipc: move bc link creation back to tipc_node_create", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CED68CD-DF2D-4A28-BAB6-F04A71D588FB", "versionEndExcluding": "5.10.129", "versionStartIncluding": "5.4.287", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "70DCF327-F4B6-4CDB-8C9E-98E909E60127", "versionEndExcluding": "5.15.53", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8261A22B-B156-4045-AE8E-AA9E95E7930C", "versionEndExcluding": "5.18.10", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: move bc link creation back to tipc_node_create\n\nShuang Li reported a NULL pointer dereference crash:\n\n [] BUG: kernel NULL pointer dereference, address: 0000000000000068\n [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]\n [] Call Trace:\n [] <IRQ>\n [] tipc_bcast_rcv+0xa2/0x190 [tipc]\n [] tipc_node_bc_rcv+0x8b/0x200 [tipc]\n [] tipc_rcv+0x3af/0x5b0 [tipc]\n [] tipc_udp_recv+0xc7/0x1e0 [tipc]\n\nIt was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it\ncreates a node in tipc_node_check_dest(), after inserting the new node\ninto hashtable in tipc_node_create(), it creates the bc link. However,\nthere is a gap between this insert and bc link creation, a bc packet\nmay come in and get the node from the hashtable then try to dereference\nits bc link, which is NULL.\n\nThis patch is to fix it by moving the bc link creation before inserting\ninto the hashtable.\n\nNote that for a preliminary node becoming \"real\", the bc link creation\nshould also be called before it's rehashed, as we don't create it for\npreliminary nodes."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tipc: mover la creaci\u00f3n del enlace bc de nuevo a tipc_node_create Shuang Li reported a NULL pointer dereference crash: [] BUG: kernel NULL pointer dereference, address: 0000000000000068 [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] [] Call Trace: [] [] tipc_bcast_rcv+0xa2/0x190 [tipc] [] tipc_node_bc_rcv+0x8b/0x200 [tipc] [] tipc_rcv+0x3af/0x5b0 [tipc] [] tipc_udp_recv+0xc7/0x1e0 [tipc] It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. Cuando crea un nodo en tipc_node_check_dest(), despu\u00e9s de insertar el nuevo nodo en la tabla hash en tipc_node_create(), crea el enlace bc. Sin embargo, hay una brecha entre esta inserci\u00f3n y la creaci\u00f3n del enlace bc, un paquete bc puede llegar y obtener el nodo de la tabla hash y luego intentar desreferenciar su enlace bc, que es NULL. Este parche es para solucionarlo moviendo la creaci\u00f3n del enlace bc antes de insertarlo en la tabla hash. Tenga en cuenta que para que un nodo preliminar se vuelva \"real\", la creaci\u00f3n del enlace bc tambi\u00e9n debe llamarse antes de que se vuelva a crear, ya que no lo creamos para los nodos preliminares."}], "id": "CVE-2022-49664", "lastModified": "2025-03-11T22:25:53.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:41.420", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35fcb2ba35b4d9b592b558c3bcc6e0d90e213588"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/456bc338871c4a52117dd5ef29cce3745456d248"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb8092d70a6f5f01ec1490fce4d35efed3ed996c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e52910e671f58c619e33dac476b11b35e2d3ab6f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tipc: move bc link creation back to tipc_node_create", "id": "2348070", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348070"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntipc: move bc link creation back to tipc_node_create\nShuang Li reported a NULL pointer dereference crash:\n[] BUG: kernel NULL pointer dereference, address: 0000000000000068\n[] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]\n[] Call Trace:\n[] <IRQ>\n[] tipc_bcast_rcv+0xa2/0x190 [tipc]\n[] tipc_node_bc_rcv+0x8b/0x200 [tipc]\n[] tipc_rcv+0x3af/0x5b0 [tipc]\n[] tipc_udp_recv+0xc7/0x1e0 [tipc]\nIt was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it\ncreates a node in tipc_node_check_dest(), after inserting the new node\ninto hashtable in tipc_node_create(), it creates the bc link. However,\nthere is a gap between this insert and bc link creation, a bc packet\nmay come in and get the node from the hashtable then try to dereference\nits bc link, which is NULL.\nThis patch is to fix it by moving the bc link creation before inserting\ninto the hashtable.\nNote that for a preliminary node becoming \"real\", the bc link creation\nshould also be called before it's rehashed, as we don't create it for\npreliminary nodes."], "name": "CVE-2022-49664", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49664\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49664\nhttps://lore.kernel.org/linux-cve-announce/2025022622-CVE-2022-49664-d3af@gregkh/T"], "threat_severity": "Moderate"}