Login Sign Up

CVE-2022-50103

7.1 HIGH
Denial of Service

📋 TL;DR

A Linux kernel vulnerability in the cpuset scheduler can cause a kernel panic when attempting to attach tasks to cgroups with empty CPU masks. This affects systems using cgroup v2 with specific cpuset configurations, potentially leading to denial of service.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly listed, but patches exist for multiple stable branches (see references).
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Requires cgroup v2 with cpusets configured with empty cpus_allowed masks. cgroup v1 is not affected as described.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, requiring physical or remote reboot.

🟠

Likely Case

System instability or crash when cgroup operations are performed on cpusets with empty CPU masks.

🟢

If Mitigated

No impact if cgroup v2 is not used or cpusets are properly configured with non-empty CPU masks.

🌐 Internet-Facing: LOW - Requires local access or ability to manipulate cgroups, typically not exposed externally.
🏢 Internal Only: MEDIUM - Local users or processes with cgroup manipulation privileges can trigger crashes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to manipulate cgroups/cpusets, typically needing appropriate privileges. Triggered during cgroup migration operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with fixes (see git references in CVE description)

Vendor Advisory: https://git.kernel.org/stable/c/147f66d22f58712dce7ccdd6a1f6cb3ee8042df4

Restart Required: Yes

Instructions:

1. Identify your Linux kernel version. 2. Check if patches are available for your distribution. 3. Update kernel package via package manager (apt, yum, etc.). 4. Reboot system to load new kernel.

🔧 Temporary Workarounds

Avoid empty cpus_allowed masks

linux

Ensure cpusets have non-empty CPU masks configured in cgroup v2.

# Check cpuset configuration
cat /sys/fs/cgroup/cpuset.cpus.effective
# Set appropriate CPUs if empty
echo "0-3" > /sys/fs/cgroup/cpuset.cpus.effective

Use cgroup v1 instead of v2

linux

Switch to cgroup v1 if possible, as vulnerability specifically affects v2 behavior.

# Add kernel boot parameter
Edit /etc/default/grub and add: systemd.unified_cgroup_hierarchy=0
# Update grub and reboot
update-grub
reboot

🧯 If You Can't Patch

  • Restrict cgroup manipulation privileges to trusted users/processes only.
  • Monitor system logs for cgroup-related errors or crashes and investigate cpuset configurations.

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if cgroup v2 is active with potentially empty cpuset masks: uname -r && grep cgroup /proc/mounts | grep cgroup2

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched: uname -r should match or exceed patched versions from git references.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages mentioning dl_cpu_busy, cpuset_can_attach, or cgroup migration failures
  • Out of bounds CPU access errors in kernel logs

Network Indicators:

  • None - local vulnerability

SIEM Query:

source="kernel" AND ("dl_cpu_busy" OR "cpuset_can_attach" OR "cgroup_migrate" OR "page fault" AND "cpuset")

📊 Metadata

CVE ID: CVE-2022-50103
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
EPSS Score: 0.02% exploit probability (3.6th percentile)
Published: June 18, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50103, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)