CVE-2022-50538

5.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE-2022-50538 is a Linux kernel vulnerability in the VME subsystem where the fake_init() function fails to properly handle errors from __root_device_register(). This can lead to a NULL pointer dereference when unloading the module, potentially causing kernel crashes or denial of service. It affects Linux systems with the VME subsystem enabled.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated in CVE, but patches available in stable kernel trees
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if VME subsystem is enabled/loaded. VME is typically used for industrial/embedded systems with VMEbus hardware.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to denial of service, potentially requiring physical reboot of affected systems.

🟠

Likely Case

System instability or crash when unloading the VME module, causing temporary service disruption.

🟢

If Mitigated

Minimal impact if VME subsystem is not used or module loading is restricted.

🌐 Internet-Facing: LOW - This requires local access or module loading capabilities, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users with module loading privileges could trigger the vulnerability, potentially causing system instability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to load/unload kernel modules. Exploitation triggers during module unloading.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (see references)

Vendor Advisory: https://git.kernel.org/stable/c/09be0e7ac5f9374b6f8de72c89ed67129af71f65

Restart Required: Yes

Instructions:

1. Update to patched kernel version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify VME module loads/unloads without errors.

🔧 Temporary Workarounds

Disable VME subsystem

linux

Prevent loading of VME kernel module if not required

echo 'blacklist vme' > /etc/modprobe.d/blacklist-vme.conf
rmmod vme

Restrict module loading

linux

Prevent unauthorized users from loading kernel modules

sysctl -w kernel.modules_disabled=1
echo 'kernel.modules_disabled=1' >> /etc/sysctl.conf

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from loading/unloading kernel modules
  • Monitor system logs for VME module loading/unloading activities and kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check if VME module is loaded: lsmod | grep vme. If loaded and kernel version is unpatched, system may be vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, attempt to load and unload VME module: modprobe vme && rmmod vme. Should complete without kernel errors.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • NULL pointer dereference errors in dmesg
  • VME module loading/unloading failures

Network Indicators:

  • None - local vulnerability only

SIEM Query:

source="kernel" AND ("general protection fault" OR "null-ptr-deref" OR "vme" OR "fake_init")

📊 Metadata

CVE ID: CVE-2022-50538
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: October 7, 2025
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50538, you might also want to check these:

CVE-2023-53621 7.8

A race condition in the Linux kernel's memory controller (memcontrol) subsystem can cause a NULL poi...

Same vulnerability type (CWE-476)
CVE-2025-63655 7.5

This vulnerability allows attackers to crash Monkey web servers by sending specially crafted HTTP re...

Same vulnerability type (CWE-476)
CVE-2025-68699 6.5

CVE-2025-68699 is a NULL pointer dereference vulnerability in NanoMQ MQTT Broker that allows remote ...

Same vulnerability type (CWE-476)