VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2022-50817

CVE-2022-50817

Description

In the Linux kernel, the following vulnerability has been resolved:

net: hsr: avoid possible NULL deref in skb_clone()

syzbot got a crash [1] in skb_clone(), caused by a bug in hsr_get_untagged_frame().

When/if create_stripped_skb_hsr() returns NULL, we must not attempt to call skb_clone().

While we are at it, replace a WARN_ONCE() by netdev_warn_once().

[1] general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641 Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00 RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207

RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000 RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140 R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640 R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620 FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164 hsr_forward_do net/hsr/hsr_forward.c:461 [inline] hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623 hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69 __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599 netif_receive_skb_internal net/core/dev.c:5685 [inline] netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744 tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544 tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025 call_write_iter include/linux/fs.h:2187 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9e9/0xdd0 fs/read_write.c:584 ksys_write+0x127/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in the Linux kernel's HSR protocol driver could be triggered via crafted network frames, causing a kernel panic.

Vulnerability

Description

A NULL pointer dereference vulnerability was discovered in the Linux kernel's HSR (High-availability Seamless Redundancy) protocol implementation. In the function hsr_get_untagged_frame(), the call to create_stripped_skb_hsr() can return NULL under certain conditions. The return value was not checked before being passed to skb_clone(), leading to a NULL pointer dereference and a kernel crash.

Exploitation

This vulnerability is exploitable by sending specially crafted network frames to a system using the HSR protocol. The attacker must be able to deliver frames to the HSR interface, but no authentication is required. The attack surface is the network stack, and the crash can be triggered remotely if HSR is enabled and the attacker can send packets to the victim.

Impact

A successful exploit causes a kernel panic (denial of service) as shown in the syzkaller crash report ([1]). There is no evidence of privilege escalation or remote code execution; the primary impact is system instability and availability loss.

Mitigation

The fix was committed to the Linux kernel stable tree as commit d8b57135fd9ffe9a5b445350a686442a531c5339 [1]. Users should update to a kernel version containing the patch. No workaround exists aside from disabling HSR if the protocol is not required.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
ff7ba7667583
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
35ece858660e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c46f2e0fcd1e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d8b57135fd9f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.