CVE-2022-50524 – A null pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-50524?

CVE-2022-50524 has a CVSS score of 5.5 (MEDIUM). A null pointer dereference vulnerability in the MediaTek IOMMU driver of the Linux kernel could cause kernel panic or system crash when platform_get_resource() returns NULL. This affects Linux systems using MediaTek IOMMU hardware. Attackers could potentially cause denial of service.

📋 TL;DR

A null pointer dereference vulnerability in the MediaTek IOMMU driver of the Linux kernel could cause kernel panic or system crash when platform_get_resource() returns NULL. This affects Linux systems using MediaTek IOMMU hardware. Attackers could potentially cause denial of service.

💻 Affected Systems

Products:

Linux kernel with MediaTek IOMMU driver

Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if the MediaTek IOMMU driver is loaded and used. Many systems may not have this hardware/driver enabled.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical access to restart the system.

🟠

Likely Case

System crash or kernel panic when the driver attempts to access invalid memory, causing temporary denial of service until system reboot.

🟢

If Mitigated

No impact if the vulnerable driver is not loaded or if the system doesn't use MediaTek IOMMU hardware.

🌐 Internet-Facing: LOW - This is a local kernel vulnerability requiring local access or ability to trigger the driver code path.

🏢 Internal Only: MEDIUM - Local users or processes could potentially trigger the vulnerability to cause denial of service on affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to trigger the vulnerable code path in the MediaTek IOMMU driver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 73b6924cdebc899de9b719e1319aa86c6bed4acf, bfebf05883cdcf9ac983033987fae869bd59ca53, or feca904412483b2e0a903dd1f2e2843afd445f8c

Vendor Advisory: https://git.kernel.org/stable/c/73b6924cdebc899de9b719e1319aa86c6bed4acf

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable MediaTek IOMMU driver

linux

Prevent loading of the vulnerable driver module

echo 'blacklist mtk_iommu' >> /etc/modprobe.d/blacklist.conf
rmmod mtk_iommu

🧯 If You Can't Patch

Ensure system doesn't use MediaTek IOMMU hardware
Restrict local user access to prevent potential exploitation

🔍 How to Verify

Check if Vulnerable:

Check if MediaTek IOMMU driver is loaded: lsmod | grep mtk_iommu

Check Version:

uname -r

Verify Fix Applied:

Check kernel version against distribution security advisories and verify driver is not causing crashes

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference errors in kernel logs
System crash/reboot events

Network Indicators:

None - this is a local vulnerability

SIEM Query:

search 'kernel panic' OR 'NULL pointer dereference' OR 'mtk_iommu' in system logs

📊 Metadata

CVE ID: CVE-2022-50524

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: October 7, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50524, you might also want to check these: