VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2022-50666

CVE-2022-50666

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix QP destroy to wait for all references dropped.

Delay QP destroy completion until all siw references to QP are dropped. The calling RDMA core will free QP structure after successful return from siw_qp_destroy() call, so siw must not hold any remaining reference to the QP upon return. A use-after-free was encountered in xfstest generic/460, while testing NFSoRDMA. Here, after a TCP connection drop by peer, the triggered siw_cm_work_handler got delayed until after QP destroy call, referencing a QP which has already freed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's RDMA/siw driver occurs because QP destroy does not wait for all references to be dropped, allowing stale work handler access.

Vulnerability

Description

In the Linux kernel's RDMA/siw driver, the QP (Queue Pair) destroy operation in siw_qp_destroy() does not ensure that all siw references to the QP are dropped before completing. The RDMA core frees the QP structure immediately after a successful return from siw_qp_destroy(), so siw must not hold any remaining references. However, due to this missing synchronization, a use-after-free can occur.

Exploitation

Scenario

The vulnerability was discovered during xfstest generic/460, which tests with NFSoRDMA [1]. The trigger involves a TCP connection drop by a peer, which causes the siw_cm_work_handler to be scheduled and executed after the QP has already been destroyed and freed. The delayed work handler then accesses the freed QP structure, leading to a use-after-free condition.

Impact

An attacker who can cause a TCP connection drop (e.g., by closing a network connection or inducing a network failure) may trigger this race condition. Successful exploitation could result in a kernel crash (denial of service) or potentially, though not confirmed in the description, arbitrary code execution due to the use-after-free. The attack surface.

Mitigation

The fix is included in the Linux kernel stable tree commit referenced [1]. The patch ensures that QP destroy waits for all siw references to be released before returning, preventing the race condition. Users should apply the latest stable kernel updates that contain this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
5c75d608fad5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
74ad141e995a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0ed8bf9d0bb1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a3c278807a45
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.