CVE-2022-50885
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
There is a null-ptr-deref when mount.cifs over rdma:
BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046
CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace:
dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
The root cause of the issue is the socket create failed in rxe_qp_init_req().
So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NULL-ptr-deref in Linux kernel RDMA/rxe driver when socket creation fails, causing panic; fixed by moving cleanup after null check.
Vulnerability
CVE-2022-50885 is a null-pointer dereference bug in the Linux kernel's RDMA/rxe driver, discovered when mounting CIFS over RDMA. The root cause is that when a socket creation fails in rxe_qp_init_req(), the cleanup function rxe_qp_do_cleanup() is called without checking for a NULL pointer, leading to a kernel crash.
Exploitation
An attacker with the ability to trigger a socket creation failure (e.g., by exhausting resources or manipulating network conditions) can cause the kernel to read from address 0x18, resulting in a denial of service. The attack vector is local, requiring the ability to mount CIFS over RDMA or otherwise invoke the vulnerable code path.
Impact
Successful exploitation triggers a kernel panic (NULL-ptr-deref) and system crash, leading to denial of service. No privilege escalation or data corruption has been reported.
Mitigation
The fix is available in the stable kernel tree [1], moving the reset of rxe_qp_do_cleanup() after a NULL pointer check. Users should apply the patch or update to a kernel version containing the commit.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8ee24de0955697340ca9f782bbd7106a6004f6bb5a62bfd62f64f08b9e6fb5b924632d84a821f9a18210ff67376d80149Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957nvd
- git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9nvd
- git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766nvd
- git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4nvd
- git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714nvd
- git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418envd
- git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336nvd
- git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550dnvd
News mentions
0No linked articles in our index yet.