| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061851-CVE-2022-50065-b627@gregkh> Date: Wed, 18 Jun 2025 13:02:10 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50065: virtio_net: fix memory leak inside XPD_TX with mergeable From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix memory leak inside XPD_TX with mergeable When we call xdp_convert_buff_to_frame() to get xdpf, if it returns NULL, we should check if xdp_page was allocated by xdp_linearize_page(). If it is newly allocated, it should be freed here alone. Just like any other "goto err_xdp". The Linux kernel CVE team has assigned CVE-2022-50065 to this issue. Affected and fixed versions =========================== Issue introduced in 4.18 with commit 44fa2dbd475996ddc8f3a0e6113dee983e0ee3aa and fixed in 5.10.138 with commit faafa2a87f697ee537c29446097e1cc3143506fa Issue introduced in 4.18 with commit 44fa2dbd475996ddc8f3a0e6113dee983e0ee3aa and fixed in 5.15.63 with commit d3723eab11196475ef83279571b2b0bd0924cf82 Issue introduced in 4.18 with commit 44fa2dbd475996ddc8f3a0e6113dee983e0ee3aa and fixed in 5.19.4 with commit 18e383afbd7047af7b055df6e25436e0ce28f8a5 Issue introduced in 4.18 with commit 44fa2dbd475996ddc8f3a0e6113dee983e0ee3aa and fixed in 6.0 with commit 7a542bee27c6a57e45c33cbbdc963325fd6493af Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50065 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/virtio_net.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/faafa2a87f697ee537c29446097e1cc3143506fa https://git.kernel.org/stable/c/d3723eab11196475ef83279571b2b0bd0924cf82 https://git.kernel.org/stable/c/18e383afbd7047af7b055df6e25436e0ce28f8a5 https://git.kernel.org/stable/c/7a542bee27c6a57e45c33cbbdc963325fd6493af
Powered by blists - more mailing lists