Login Sign Up

CVE-2022-50282

5.5 MEDIUM

📋 TL;DR

A race condition vulnerability in the Linux kernel's cdev_device_add() function can cause a kernel panic when device registration fails. This affects Linux systems with character device drivers, potentially causing denial of service. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Versions before the fix commits (specific versions vary by distribution)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires character device driver operations that could fail during registration. Industrial IO (IIO) subsystem mentioned in traceback is one example.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.

🟠

Likely Case

Local denial of service through kernel panic when fault injection or specific error conditions occur during device registration.

🟢

If Mitigated

Minor system instability that might require reboot if triggered by legitimate device failures.

🌐 Internet-Facing: LOW - Requires local access to trigger, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local users or processes could potentially trigger this, but requires specific error conditions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger specific error conditions during device registration. Fault injection testing discovered this.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel versions with commits 11fa7fefe3d8, 28dc61cc49c6, 34d17b39bcee, 5d2146889fad, or 6acf8597c5b0

Vendor Advisory: https://git.kernel.org/stable/c/11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. For custom kernels, apply the fix commit to your kernel source. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

No practical workaround

all

This is a kernel-level race condition that requires code fix. No configuration changes can mitigate it.

🧯 If You Can't Patch

  • Restrict local user access to systems where possible
  • Monitor for kernel panic events and have reboot procedures ready

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and compare with distribution's patched versions. Vulnerable if before fix commits.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version from your distribution vendor.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • Warnings about kobject_put() on uninitialized objects
  • System crash/reboot events

Network Indicators:

  • None - local vulnerability only

SIEM Query:

source="kernel" AND ("kobject_put" OR "panic" OR "Oops")

📊 Metadata

CVE ID: CVE-2022-50282
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-908
EPSS Score: 0.01% exploit probability (1th percentile)
Published: September 15, 2025
Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50282, you might also want to check these:

CVE-2021-26305 9.8

CVE-2021-26305 is a deserialization vulnerability in the cdr crate for Rust that allows a malicious ...

Same vulnerability type (CWE-908)
CVE-2020-36443 9.8

This vulnerability in libp2p-deflate crate for Rust allows reading uninitialized memory due to passi...

Same vulnerability type (CWE-908)
CVE-2020-36452 9.8

This vulnerability in the array-tools Rust crate allows attackers to cause memory corruption by expl...

Same vulnerability type (CWE-908)