CVE-2022-50532

MEDIUM
2025-10-07 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Oct 07, 2025 - 16:15 nvd
MEDIUM 5.5

Tags

Linux Denial Of Service Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas] Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens.

Analysis

A resource leak vulnerability exists in the Linux kernel's mpt3sas SCSI transport driver where the sas_rphy_add() function can fail without properly freeing allocated resources, leading to a NULL pointer dereference and kernel crash during device removal. This affects Linux kernel implementations across multiple versions that use the mpt3sas driver for SAS (Serial Attached SCSI) HBA management. An unprivileged local attacker with sufficient privileges to trigger transport port operations can cause a denial of service by inducing a kernel panic, though the low EPSS score of 0.01% suggests exploitation is not practically demonstrated in the wild.

Technical Context

The vulnerability resides in the mpt3sas SCSI transport driver's mpt3sas_transport_port_add() function within the Linux kernel (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). The root cause is classified under CWE-401 (Missing Release of Memory after Effective Lifetime), a resource management flaw. Specifically, when sas_rphy_add() fails during SAS remote phy (rphy) attachment, the code path neglects to call sas_rphy_free() to deallocate memory that was previously allocated by sas_end_device_alloc(). This creates an orphaned device object. Subsequently, when the driver's remove path invokes sas_rphy_remove() to clean up the device hierarchy, the kernel attempts to access the uninitialized device structure, triggering a NULL pointer dereference at offset 0x108 within device_del(). The call chain shows that transport_add_device() is never invoked when sas_rphy_add() fails, leaving the device in an inconsistent state that cascades into memory corruption during cleanup.

Affected Products

All Linux kernel versions utilizing the mpt3sas driver are potentially affected, as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. The vulnerability was confirmed in kernel 6.1.0-rc1 and patches have been released across multiple stable kernel branches via commits 6a92129c8f999ff5b122c100ce7f625eb3e98c4b, 6f6768e2fc8638fabdd8802c2ef693d7aef01db1, 78316e9dfc24906dd474630928ed1d3c562b568e, ce1a69cc85006b494353911b35171da195d79e25, d17bca3ddfe507874cb826d32721552da12e741f, and d60000cb1195a464080b0efb4949daf7594e0020. Distribution kernels and any system running mpt3sas-dependent Broadcom MegaRAID or Adaptec controllers are in scope. Specific version ranges affected include legacy kernel lines (4.x, 5.x) and recent stable versions (6.x) prior to their respective patches.

Remediation

Apply the vendor kernel patch immediately by upgrading to a patched kernel version that includes one of the six identified commits (consult your Linux distribution's security advisory for the specific patched version number for your kernel branch). For distributions with extended security support, check vendor advisories from SUSE, Red Hat, Ubuntu, or Debian for backported fixes. Until patching is possible, restrict access to SCSI transport management operations via Linux capabilities (CAP_SYS_ADMIN) and SELinux policies to prevent unprivileged users from triggering the vulnerable code path. Monitor kernel logs for oops messages containing 'device_del' or 'sas_rphy_remove' warnings as indicators of attempted exploitation. Recompile the kernel with CONFIG_KASAN or CONFIG_DEBUG_KMEMLEAK enabled in test environments to detect similar resource leaks proactively.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2022-50532 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy