VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2022-50816

CVE-2022-50816

Description

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ensure sane device mtu in tunnels

Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0)

Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit b9b312a7a451 "ipv6: mcast: better catch silly mtu values"), a remaining possibility is that a layer is able to set dev->mtu to an underflowed value (high order bit set).

This could happen indeed in ip6gre_tnl_link_config_route(), ip6_tnl_link_config() and ipip6_tunnel_bind_dev()

Make sure to sanitize mtu value in a local variable before it is written once on dev->mtu, as lockless readers could catch wrong temporary value.

[1] skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:120 Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: mld mld_ifc_work pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116 lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116 sp : ffff800020dd3b60 x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800 x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200 x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38 x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80 x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00 x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic+0x4c/0x50 net/core/skbuff.c:116 skb_over_panic net/core/skbuff.c:125 [inline] skb_put+0xd4/0xdc net/core/skbuff.c:2049 ip6_mc_hdr net/ipv6/mcast.c:1714 [inline] mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765 add_grhead net/ipv6/mcast.c:1851 [inline] add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989 mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115 mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple IPv6 tunnel interfaces in the Linux kernel could set dev->mtu to an underflowed value, leading to a kernel panic via skb_over_panic.

Vulnerability

The Linux kernel tunnels — specifically ip6_gre, ip6_tnl, and ipip6_tunnel — contained a flaw where the device MTU (dev->mtu) could be set to an underflowed value (i.e., a value with the high-order bit set) during tunnel configuration. This occurred in functions such as ip6gre_tnl_link_config_route(), ip6_tnl_link_config(), and `ipip6_tunnel_bind_dev().

Exploitation

The bug was discovered via a syzbot report that triggered an skb_over_panic in net/core/skbuff.c on the ip6gretap0 interface [1]. No reproducer was provided, but the root cause was identified: lockless readers in the IPv6 multicast code (mld_ifc_work) could read the dev->mtu value at a moment when it still held a corrupted (underflowed) value, causing downstream operations (like skb buffer allocations) to overflow [1]. An attacker would not need local access; the vulnerability could be triggered remotely by crafting IPv6 multicast traffic that reaches an affected tunnel interface.

Impact

A successful exploit leads to a kernel panic (BUG: skb_over_panic), resulting in a denial of service (DoS) on the targeted system. The crash manifests as an internal error in skb_panic() with a CPU register dump [1]. No privilege escalation is involved, but the availability impact is immediate.

Mitigation

The fix was applied to the stable kernel tree in commit 2bab6fa449d16af36d9c9518865f783a15f446c7 and backported to other stable branches via commits [2] and [3]. The patch sanitizes the MTU value in a local variable before writing it to dev->mtu, preventing lockless readers from seeing an incorrect value. Users should apply the latest stable kernel updates to resolve this issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

7
2bab6fa449d1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
78297d513157
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
af51fc23a03f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
44affe7ede59
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ad3f1d9bf162
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ccd94bd49396
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d89d7ff01235
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.