CVE-2022-50814
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
KASAN reported this Bug:
[17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 ... [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]
There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int.
Replacing param_get/set_int to param_get/set_ushort can fix this bug.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A type mismatch in the Linux kernel's hisi_zip driver causes a global out-of-bounds read when accessing the sgl_sge_nr parameter, fixed by using the correct param_get/set_ushort functions.
Vulnerability
Analysis
CVE-2022-50814 is a bug in the Linux kernel's crypto subsystem, specifically in the hisi_zip driver for HiSilicon accelerators. The root cause is a type mismatch: the variable sgl_sge_nr is declared as u16 (unsigned 16-bit integer), but the driver used param_get_int and param_set_int functions to get and set its value. These functions operate on int (32-bit), leading to a global out-of-bounds read when the parameter is accessed, as reported by KASAN [1].
Exploitation
An attacker with local access and the ability to read the sgl_sge_nr parameter (e.g., via sysfs) could trigger the out-of-bounds read. No authentication beyond local user access is required. The bug manifests as a KASAN report showing a read of size 4 at an address within the sgl_sge_nr variable's region, indicating a memory corruption or information disclosure [1].
Impact
A successful exploit could lead to a kernel crash (denial of service) or potentially leak sensitive kernel memory. The out-of-bounds read occurs in param_get_int, which is used to retrieve the parameter value, so an attacker could read adjacent memory [1].
Mitigation
The fix replaces param_get_int/param_set_int with param_get_ushort/param_set_ushort, matching the u16 type. The patch has been applied to the stable kernel tree [1][2]. Users should update to a kernel version containing the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
5d88b88514ef2272093471305f8a983d6e01b5eaebd19fbb0d74f9340097aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819nvd
- git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15nvd
- git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516eccnvd
- git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79ddnvd
- git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2anvd
News mentions
0No linked articles in our index yet.