VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2022-50679

CVE-2022-50679

Description

In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix DMA mappings leak

During reallocation of RX buffers, new DMA mappings are created for those buffers.

steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done

This resulted in crash: i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536 Driver BUG WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50 Call Trace: i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b Missing register, driver bug WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140 Call Trace: xdp_rxq_info_unreg+0x1e/0x50 i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b

This was caused because of new buffers with different RX ring count should substitute older ones, but those buffers were freed in i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi, thus kfree on rx_bi caused leak of already mapped DMA.

Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally reallocate back to rx_bi when BPF program unloads.

If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XSP_SETUP_XSK_POOL handler.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-50679 is a DMA mapping leak in the Linux kernel's i40e driver that can cause memory exhaustion and kernel crashes during RX ring reconfiguration via ethtool.

CVE-2022-50679 is a vulnerability in the Linux kernel's i40e Ethernet driver that leads to a DMA mapping leak during the reallocation of receive (RX) buffers. The root cause is that when the driver reconfigures RX rings, new DMA mappings are created for the buffers, but the old mappings are not properly freed. The reuse of DMA mappings without cleanup results in resource exhaustion [1].

Exploitation

Context The vulnerability can be triggered by repeatedly changing the RX and TX ring sizes via the ethtool -G command, as demonstrated in the bug report with a loop ranging the ring count from 0 to 8160 in steps of 32. The attack surface is local; an unprivileged user with access to the network interface can (if permitted by their system's policy) reconfigure rings and trigger the leak. No authentication beyond the local user account is required, and the driver's response to resource exhaustion causes the kernel to crash with a BUG or warning trace [1].

Impact

An attacker who can continuously force ring reallocation will exhaust the DMA pool, eventually triggering a kernel BUG (e.g., "Unable to allocate memory for the Rx descriptor ring") and system instability. The crash traces show unregister operations failing in the XDP subsystem (xdp_rxq_info_unreg), leading to a denial of service on the affected host [1].

Mitigation

The fix has been committed to the Linux kernel stable tree (commit 3a0d33...) and should be backported to affected distributions. Users are advised to update their kernel to a version containing the patch. No workaround other than avoiding frequent ring-size changes is currently documented, and the CVE is not reported on the CISA Known Exploited Vulnerabilities catalog [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
ed5baf3d0a33
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
94a171c982b8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5f499596dfa3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aae425efdfd1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.