VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50697

CVE-2022-50697

Description

In the Linux kernel, the following vulnerability has been resolved:

mrp: introduce active flags to prevent UAF when applicant uninit

The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful.

And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe]

CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519

To fix it, we can introduce a new active flags to make sure the timer will not restart.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's MRP (Multiple Registration Protocol) due to a race condition when stopping the periodic timer during applicant uninit.

Vulnerability

CVE-2022-50697 is a use-after-free (UAF) vulnerability in the Linux kernel's Multiple Registration Protocol (MRP) implementation, specifically in the mrp_periodic_timer_arm and related timer functions. The root cause is a race condition where the del_timer_sync() must prevent the timer from being restarted, but the code lacked proper synchronization, allowing the timer to be re-armed after it was cancelled. This leads to a write-after-free when the timer callback accesses freed memory, as demonstrated by the syzbot crash report showing a KASAN UAF in enqueue_timer [1].

Exploitation

An attacker would need to trigger the MRP applicant uninit path in the kernel, which is typically reachable from user space via netlink or socket operations related to MRP (e.g., bridging or mrp_init). The vulnerability is triggered during the applicant uninitialization sequence, where the periodic timer is cancelled but can be restarted by a concurrent operation before the data structures are fully freed. No special privileges are required beyond the ability to create MRP sockets, which is available to unprivileged users in many configurations.

Impact

Successful exploitation results in a use-after-free condition, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The syzbot report confirms a kernel panic with KASAN detecting the UAF, indicating a high severity for system stability and security.

Mitigation

The fix introduces an 'active' flag to track whether the MRP applicant is still active, preventing the timer from being re-armed after uninit begins. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update to a kernel version containing the fix (e.g., 6.1.0-rc5 or later with the specific commit). No workaround is available; patching is required.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

9
98f53e591940
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aacffc1a8dbf
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
78d48bc41f77
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aadb1507a77b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
755eb0879224
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5d5a481a7fd0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1a185fe83c2a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
563e45fd5046
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ab0377803daf
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.