CVE-2022-50656
Description
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Clear nfc_target before being used
Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An uninitialized nfc_target struct in the Linux kernel's pn533 driver can cause a slab-out-of-bounds read when nla_put() is called, leaking kernel memory.
Vulnerability
Description
The Linux kernel's NFC (Near Field Communication) pn533 driver fails to properly initialize the nfc_target structure before use. This oversight means that when a target is created, fields such as sensb_res_len can contain uninitialized (garbage) values. The CVE description reports this leads to a slab-out-of-bounds read in nla_put() when called from nfc_genl_send_target() during netlink operations [1].
Exploitation
Method
An attacker with local access to the system could trigger this vulnerability by sending crafted NFC frames via the pn533 driver. The bug was discovered using a modified version of syzkaller, a kernel fuzzer. No authentication is required beyond local access to the NFC interface. The uninitialized data is copied into a netlink message, causing nla_put() to read beyond the intended bounds of the slab allocation [1].
Impact
Successful exploitation results in a slab-out-of-bounds read, which can leak sensitive kernel memory contents to the attacker. This could expose information useful for further exploitation, such as kernel pointers or data structures. The vulnerability also causes a kernel crash (KASAN splat) leading to a denial of service [1].
Mitigation
The fix involves clearing the nfc_target structure with memset() before use, ensuring all fields are zero-initialized. This patch has been applied to stable kernel trees [2][3][4]. Users should update to a patched kernel version. No workarounds are available; updating is the only recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
98bddef54cbe9aea9e64dec2caae9c24ebd90755019e37815e491285b4d089f28157778ed9da4a0411f3461a7e15d55fabef2f478513eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/61a7e15d55fae329a245535c3bac494e401005b8nvd
- git.kernel.org/stable/c/755019e37815a66bb0a23893debbd3dd640ccbd3nvd
- git.kernel.org/stable/c/8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03nvd
- git.kernel.org/stable/c/9da4a0411f3455e3885831d0758bee3e3d565bbcnvd
- git.kernel.org/stable/c/9f28157778ede0d4f183f7ab3b46995bb400abbenvd
- git.kernel.org/stable/c/aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6nvd
- git.kernel.org/stable/c/aea9e64dec2cc6cd742e07ecd4e6236fc76b389bnvd
- git.kernel.org/stable/c/bef2f478513e7367ef3b05441f6afca981de29benvd
- git.kernel.org/stable/c/e491285b4d08884b622638be8e4961eb43b0af64nvd
News mentions
0No linked articles in our index yet.