CVE-2022-50569
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Update ipcomp_scratches with NULL when freed
Currently if ipcomp_alloc_scratches() fails to allocate memory ipcomp_scratches holds obsolete address. So when we try to free the percpu scratches using ipcomp_free_scratches() it tries to vfree non existent vm area. Described below:
static void * __percpu *ipcomp_alloc_scratches(void) { ... scratches = alloc_percpu(void *); if (!scratches) return NULL; ipcomp_scratches does not know about this allocation failure. Therefore holding the old obsolete address. ... }
So when we free,
static void ipcomp_free_scratches(void) { ... scratches = ipcomp_scratches; Assigning obsolete address from ipcomp_scratches
if (!scratches) return;
for_each_possible_cpu(i) vfree(*per_cpu_ptr(scratches, i)); Trying to free non existent page, causing warning: trying to vfree existent vm area. ... }
Fix this breakage by updating ipcomp_scrtches with NULL when scratches is freed
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's IPComp implementation occurs when memory allocation fails, leaving a stale pointer that leads to an invalid vfree.
Vulnerability
Overview
In the Linux kernel's IPComp (IP Payload Compression Protocol) implementation, a memory management flaw exists in the ipcomp_alloc_scratches() function. When memory allocation fails via alloc_percpu(), the global pointer ipcomp_scratches retains its previous, now-obsolete address instead of being updated to NULL [1]. This leaves the system in an inconsistent state.
Exploitation
Scenario
An attacker with the ability to trigger IPComp resource exhaustion—such as by consuming system memory—could cause ipcomp_alloc_scratches() to fail. The subsequent call to ipcomp_free_scratches() uses the stale ipcomp_scratches pointer. This leads to a vfree() on an already freed or non-existent virtual memory area, resulting in a kernel warning or potential crash [2]. No authentication is required, but the attacker must be able to influence memory allocation within the kernel's networking stack.
Impact
Successful exploitation causes a kernel panic or a system crash (denial of service). The incorrect vfree() call can corrupt kernel memory, potentially leading to privilege escalation, though the primary impact is availability [3].
Mitigation
The fix updates ipcomp_scratches to NULL when scratches are freed, preventing the use of a dangling pointer [4]. Patches have been backported to stable kernel trees. Users should apply the relevant kernel update to their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9be81c44242b203155680191ef3bdba4440d8debca61df6bca39f456d62811e8abde895b318373ed500f72c19945ce8098a04d2fc700fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/03155680191ef0f004b1d6a5714c5b8cd271ab61nvd
- git.kernel.org/stable/c/18373ed500f7cd53e24d9b0bd0f1c09d78dba87envd
- git.kernel.org/stable/c/1e8abde895b3ac6a368cbdb372e8800c49e73a28nvd
- git.kernel.org/stable/c/2c19945ce8095d065df550e7fe350cd5cc40c6e6nvd
- git.kernel.org/stable/c/8a04d2fc700f717104bfb95b0f6694e448a4537fnvd
- git.kernel.org/stable/c/a39f456d62810c0efb43cead22f98d95b53e4b1anvd
- git.kernel.org/stable/c/be81c44242b20fc3bdcc73480ef8aaee56f5d0b6nvd
- git.kernel.org/stable/c/debca61df6bc2f65e020656c9c5b878d6b38d30fnvd
- git.kernel.org/stable/c/f3bdba4440d82e0da2b1bfc35d3836c8a8e00677nvd
News mentions
0No linked articles in our index yet.