VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50780

CVE-2022-50780

Description

In the Linux kernel, the following vulnerability has been resolved:

net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed

When the ops_init() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked to release the net, invalid address access occurs.

The process is as follows: setup_net() ops_init() data = kzalloc(...) ---> alloc "data" net_assign_generic() ---> assign "date" to ptr in net->gen ... ops->init() ---> failed ... kfree(data); ---> ptr in net->gen is invalid ... ops_exit_list() ... nfqnl_nf_hook_drop() *q = nfnl_queue_pernet(net) ---> q is invalid

The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace:

dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 nfqnl_nf_hook_drop+0x264/0x280 nf_queue_nf_hook_drop+0x8b/0x1b0 __nf_unregister_net_hook+0x1ae/0x5a0 nf_unregister_net_hooks+0xde/0x130 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Allocated by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc+0x49/0xb0 ops_init+0xe7/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 __kmem_cache_free+0xa4/0x360 ops_init+0xb9/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel's nfqnl_nf_hook_drop_drop() occurs when ops_init() fails, leaving a dangling pointer in net->gen.

Vulnerability

CVE-2022-50780 is a use-after-free (UAF) vulnerability in the Linux kernel's netfilter queue subsystem for netfilter queue (nfqueue). The bug arises during network namespace creation: when ops_init() allocates per-net data and assigns it via net_assign_generic(), but the subsequent ops->init() call fails, the allocated data is freed. However, the pointer stored in net->gen is not cleared, leaving a dangling reference [1].

Exploitation

When the network namespace is later torn down, nfqnl_nf_hook_drop() retrieves the per-net data via nfnl_queue_pernet(net), which reads the stale pointer from net->gen. This results in an access to freed memory, as demonstrated by the KASAN report showing a read of size 8 at an invalid address [1]. The attack surface is local privilege escalation or denial of service, requiring the ability to create and destroy network namespaces (e.g., via unshare).

Impact

An attacker with sufficient privileges to create network namespaces (e.g., in a container environment) can trigger the UAF, potentially leading to memory corruption, system crash, or privilege escalation. The vulnerability is rated with a CVSS v3.1 score of 7.8 (High) due to its high impact on confidentiality, integrity, and availability.

Mitigation

The issue has been patched in the Linux kernel stable releases. The fix ensures that when ops_init() fails, the dangling pointer in net->gen is properly cleaned up before the per-net data is freed [1][2][2][3]. Users should apply the latest kernel updates from their distribution.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
5a2ea549be94
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
97ad240fd9aa
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c3edc6e80820
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a1e18acb0246
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4a4df5e78712
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d266935ac43d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.