Login Sign Up

CVE-2022-50174

5.5 MEDIUM
Denial of Service

📋 TL;DR

A race condition vulnerability in the Linux kernel's hinic network driver causes a kernel hang when reading device statistics from a bond interface. This affects systems using Huawei Intelligent NIC (hinic) devices in bond configurations, potentially leading to denial of service.

💻 Affected Systems

Products:
  • Linux kernel with hinic driver
Versions: Linux kernel versions before fixes in stable releases (specific commits: 3ba59bbe4f306bb6ee15753db0a40564c0eb7909, 693f31dc91568e61047fd2980a8235e856cd9ce8, etc.)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using Huawei Intelligent NIC (hinic) devices as bond slave devices and reading statistics from the master bond device.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic and system crash requiring physical reboot, causing extended downtime for affected servers.

🟠

Likely Case

System hang or performance degradation when reading network statistics from bond interfaces containing hinic devices.

🟢

If Mitigated

Minor performance impact during statistics collection if proper kernel version is used.

🌐 Internet-Facing: LOW - Requires local access or specific network configuration to trigger.
🏢 Internal Only: MEDIUM - Can be triggered by monitoring tools or administrators reading network statistics on affected systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific hardware configuration and access to read network statistics. More likely to be triggered accidentally by monitoring systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel stable releases containing the fix commits

Vendor Advisory: https://git.kernel.org/stable/c/3ba59bbe4f306bb6ee15753db0a40564c0eb7909

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify hinic driver is no longer using mgmt_lock in get_stats64 function.

🔧 Temporary Workarounds

Avoid bond configuration with hinic

linux

Do not configure hinic devices as bond slaves if possible

Disable statistics collection

linux

Avoid reading network statistics from bond interfaces containing hinic devices

🧯 If You Can't Patch

  • Avoid using hinic devices in bond configurations
  • Implement monitoring to detect and alert on system hangs related to network statistics collection

🔍 How to Verify

Check if Vulnerable:

Check if system uses hinic devices in bond configuration and kernel version is before fixes. Run: lsmod | grep hinic && cat /proc/net/bonding/*

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits or test reading bond interface statistics without system hang

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages mentioning softlockup or hung tasks
  • System logs showing bond interface statistics collection failures

Network Indicators:

  • Sudden loss of network connectivity on bond interfaces
  • Monitoring system alerts for hung processes

SIEM Query:

event_source:kernel AND (message:"softlockup" OR message:"hung tasks") AND process:"hinic"

📊 Metadata

CVE ID: CVE-2022-50174
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-667
EPSS Score: 0.01% exploit probability (1.9th percentile)
Published: June 18, 2025
Last Updated: November 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50174, you might also want to check these:

CVE-2020-12658 9.8

CVE-2020-12658 is a critical vulnerability in gssproxy (GSS-API proxy daemon) where improper mutex h...

Same vulnerability type (CWE-667)
CVE-2020-11284 8.4

This vulnerability allows non-secure boot loaders to unlock and modify memory regions that should re...

Same vulnerability type (CWE-667)
CVE-2021-22530 8.2

CVE-2021-22530 is an authentication bypass vulnerability in NetIQ Advanced Authentication that allow...

Same vulnerability type (CWE-667)