What is the CVSS score of CVE-2022-50390?

CVE-2022-50390 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2022-50390?

CVE-2022-50390 presents moderate security risk rated CVSS 5.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2022-50390?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Linux Kernel CVE-2022-50390

MEDIUM

2025-09-18 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Denial Of Service Linux Integer Overflow Red Hat Linux Kernel Suse

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Sep 18, 2025 - 14:15 nvd

MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED

Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ttm_bo_move_memcpy+0x3b4/0x460 [ttm] bo_driver_move+0x32/0x40 [drm_vram_helper] ttm_bo_handle_move_mem+0x118/0x200 [ttm] ttm_bo_validate+0xfa/0x220 [ttm] drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper] drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper] drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper] drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper] drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper] drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper] drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper] drm_atomic_commit+0x9c/0x160 [drm] drm_client_modeset_commit_atomic+0x33a/0x380 [drm] drm_client_modeset_commit_locked+0x77/0x220 [drm] drm_client_modeset_commit+0x31/0x60 [drm] __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper] drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper] fbcon_init+0x316/0x790 visual_init+0x113/0x1d0 do_bind_con_driver+0x2a3/0x5c0 do_take_over_console+0xa9/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK>

AnalysisAI

A undefined behavior vulnerability exists in the Linux kernel's TTM (Translation Table Maps) memory management subsystem where shifting a signed 32-bit value by 31 bits during bit flag operations causes undefined behavior. This affects all Linux kernel versions using the affected TTM code path, and while the vulnerability itself is difficult to exploit directly, it can be triggered by local attackers with low privileges during GPU memory operations, resulting in denial of service through kernel panic or undefined system behavior. The EPSS score of 0.01% and lack of known public exploits indicate this is a low real-world exploitation probability, but the CVSS 5.5 score reflects the availability impact when triggered.

Technical ContextAI

The vulnerability resides in the drm/ttm subsystem (Direct Rendering Manager / Translation Table Maps) within the Linux kernel header file ttm_tt.h at line 122, where the TTM_TT_FLAG_PRIV_POPULATED flag definition uses a left bit shift operation on a signed 32-bit integer. Specifically, the macro shifts the value 1 left by 31 positions (1 << 31), which in signed 32-bit arithmetic exceeds the representable range and triggers undefined behavior according to the C standard and UBSAN (Undefined Behavior Sanitizer) detection. The affected CPE (cpe:2.3:o:linux:linux_kernel) indicates all Linux kernel installations using TTM are potentially affected. While no specific CWE is listed in the advisory, this falls under improper integer handling and type safety violations, commonly related to CWE-190 (Integer Overflow) or CWE-197 (Numeric Truncation Error). The fix involves changing the bit shift operand from a signed int to unsigned, allowing the operation to proceed safely.

RemediationAI

Update the Linux kernel to a patched version released after the fix commits referenced in kernel.org stable (commits 2ff0309b73d86e8591881ac035af06e01c112e89, 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b, 6528971fdce0dfc0a28fec42c151a1eccdabadf5, or c4079a34c0adef9f35a16783fb13a9084406f96d). Most Linux distributions have backported this fix into their stable kernel branches; check your distribution's security advisories for the specific kernel version. For immediate systems unable to patch, disable GPU/DRM functionality if not required, or restrict local user access to prevent triggering the code path. The fix itself is minimal (changing signed int to unsigned in the bit shift operation), so patch application is straightforward with no compatibility concerns.