VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2022-50635

CVE-2022-50635

Description

In the Linux kernel, the following vulnerability has been resolved:

powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()

I found a null pointer reference in arch_prepare_kprobe():

# echo 'p cmdline_proc_show' > kprobe_events # echo 'p cmdline_proc_show+16' >> kprobe_events Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000

The address being probed has some special:

cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location

The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for:

... prev = get_kprobe(p->addr - 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ...

If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped.

Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem.

[mpe: Trim oops]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in the Linux kernel's powerpc kprobes subsystem can be triggered by registering a kprobe at an offset after an ftrace-based probe, causing a local denial of service.

Vulnerability

Description

CVE-2022-50635 is a null pointer dereference vulnerability in the Linux kernel's powerpc architecture, specifically within the arch_prepare_kprobe() function. The bug occurs when a user registers a kprobe at an instruction offset immediately following an existing ftrace-based kprobe. In such cases, the kernel fails to allocate the ainsn::insn field, leaving it as NULL. When the second kprobe is prepared, the code attempts to dereference this NULL pointer, leading to a kernel crash [1][2].

Exploitation

The vulnerability can be triggered locally by any user with the ability to create kprobes (typically root). The attack surface is limited to the powerpc architecture. The exploit sequence involves first registering a kprobe on a function that uses ftrace (e.g., cmdline_proc_show), then registering a second kprobe at an offset of +16-byte offset from the first. This causes the kernel to attempt to read from address 0x0, resulting in a NULL pointer dereference and an immediate system crash (Oops) [1).

Impact

A successful exploit results in a denial of service (DoS) condition, as the kernel panics and becomes unavailable. The vulnerability does not appear to allow privilege escalation or arbitrary code execution, as the crash occurs in kernel context and the attacker only controls the probe registration, not the dereferenced data [1][2].

Mitigation

The issue was fixed in the Linux kernel by adding a NULL check for ainsn::insn in arch_prepare_kprobe(). Patches were applied to the stable kernel trees, and users should update to a kernel version containing the fix. No workaround is available other than avoiding the specific probe registration sequence [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: ≤ 6.0.0-rc3

Patches

4
7f536a8cb62d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4eac4f6a86ae
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5fd1b369387c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
97f88a3d7231
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.