{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50043", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-06-18T10:57:27.399Z", "datePublished": "2025-06-18T11:01:44.186Z", "dateUpdated": "2025-06-18T11:01:44.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-06-18T11:01:44.186Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix potential refcount leak in ndisc_router_discovery()\n\nThe issue happens on specific paths in the function. After both the\nobject `rt` and `neigh` are grabbed successfully, when `lifetime` is\nnonzero but the metric needs change, the function just deletes the\nroute and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh`\nagain if above conditions hold. The function simply overwrite `neigh`\nif succeeds or returns if fails, without decreasing the reference\ncount of previous `neigh`. This may result in memory leaks.\n\nFix it by decrementing the reference count of `neigh` in place."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ndisc.c"], "versions": [{"version": "6b2e04bc240fe9be9e690059f710e9f95346d34d", "lessThan": "ffb15594433391fd7885eb88ce5a7f7bdeefbb15", "status": "affected", "versionType": "git"}, {"version": "6b2e04bc240fe9be9e690059f710e9f95346d34d", "lessThan": "7998043d31d000c3a93f46182e6569dd0eecda34", "status": "affected", "versionType": "git"}, {"version": "6b2e04bc240fe9be9e690059f710e9f95346d34d", "lessThan": "7396ba87f1edf549284869451665c7c4e74ecd4f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv6/ndisc.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.63", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.4", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.63"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ffb15594433391fd7885eb88ce5a7f7bdeefbb15"}, {"url": "https://git.kernel.org/stable/c/7998043d31d000c3a93f46182e6569dd0eecda34"}, {"url": "https://git.kernel.org/stable/c/7396ba87f1edf549284869451665c7c4e74ecd4f"}], "title": "net: fix potential refcount leak in ndisc_router_discovery()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DC3AC51-DA1F-4CE2-BA20-9F44D3835529", "versionEndExcluding": "5.15.63", "versionStartIncluding": "5.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E669300-DA42-4ACD-86D8-68BE5F29FB88", "versionEndExcluding": "5.19.4", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix potential refcount leak in ndisc_router_discovery()\n\nThe issue happens on specific paths in the function. After both the\nobject `rt` and `neigh` are grabbed successfully, when `lifetime` is\nnonzero but the metric needs change, the function just deletes the\nroute and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh`\nagain if above conditions hold. The function simply overwrite `neigh`\nif succeeds or returns if fails, without decreasing the reference\ncount of previous `neigh`. This may result in memory leaks.\n\nFix it by decrementing the reference count of `neigh` in place."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: correcci\u00f3n de una posible fuga de referencias en ndisc_router_discovery(). El problema se produce en rutas espec\u00edficas de la funci\u00f3n. Tras la captura correcta de los objetos `rt` y `neigh`, cuando `lifetime` es distinto de cero pero la m\u00e9trica necesita cambiar, la funci\u00f3n simplemente elimina la ruta y establece `rt` en NULL. A continuaci\u00f3n, puede intentar capturar `rt` y `neigh` de nuevo si se cumplen las condiciones anteriores. La funci\u00f3n simplemente sobrescribe `neigh` si tiene \u00e9xito o retorna si falla, sin reducir la cantidad de referencias de `neigh` anterior. Esto puede provocar fugas de memoria. Para solucionarlo, reduzca la cantidad de referencias de `neigh` en su lugar."}], "id": "CVE-2022-50043", "lastModified": "2025-11-13T18:32:07.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T11:15:32.787", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7396ba87f1edf549284869451665c7c4e74ecd4f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7998043d31d000c3a93f46182e6569dd0eecda34"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ffb15594433391fd7885eb88ce5a7f7bdeefbb15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: fix potential refcount leak in ndisc_router_discovery()", "id": "2373506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373506"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: fix potential refcount leak in ndisc_router_discovery()\nThe issue happens on specific paths in the function. After both the\nobject `rt` and `neigh` are grabbed successfully, when `lifetime` is\nnonzero but the metric needs change, the function just deletes the\nroute and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh`\nagain if above conditions hold. The function simply overwrite `neigh`\nif succeeds or returns if fails, without decreasing the reference\ncount of previous `neigh`. This may result in memory leaks.\nFix it by decrementing the reference count of `neigh` in place."], "name": "CVE-2022-50043", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50043\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50043\nhttps://lore.kernel.org/linux-cve-announce/2025061843-CVE-2022-50043-e7dc@gregkh/T"], "statement": "A reference count leak was found in the ndisc_router_discovery() function when re-acquiring the neigh object without releasing the previously held reference. This may lead to a memory leak, especially in long-lived or high-load systems. Although the issue does not impact confidentiality or integrity, it may result in memory exhaustion or kernel instability under certain conditions. The attack requires local privileges and direct interaction with the IPv6 stack, but no user interaction.", "threat_severity": "Moderate"}

{"created": "2025-06-23T08:53:47.149949+00:00", "updated": "2025-06-23T08:53:47.149998+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}