{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50826", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:07.131Z", "datePublished": "2025-12-30T12:08:38.950Z", "dateUpdated": "2025-12-30T12:08:38.950Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:08:38.950Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\n\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\nwith a subdev state of NULL leads to a NULL pointer dereference. This\ncan currently happen in imgu_subdev_set_selection() when the state\npassed in is NULL, as this method first gets pointers to both the \"try\"\nand \"active\" states and only then decides which to use.\n\nThe same issue has been addressed for imgu_subdev_get_selection() with\ncommit 30d03a0de650 (\"ipu3-imgu: Fix NULL pointer dereference in active\nselection access\"). However the issue still persists in\nimgu_subdev_set_selection().\n\nTherefore, apply a similar fix as done in the aforementioned commit to\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\nhelper functions for \"crop\" and \"compose\" access and use them in both\nimgu_subdev_set_selection() and imgu_subdev_get_selection()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/staging/media/ipu3/ipu3-v4l2.c"], "versions": [{"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9", "lessThan": "fa6bbb4894b9b947063c6ff90018a954c5f9f4b3", "status": "affected", "versionType": "git"}, {"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9", "lessThan": "611d617bdb6c5d636a9861ec1c98e813fc8a5556", "status": "affected", "versionType": "git"}, {"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9", "lessThan": "5038ee677606106c91564f9c4557d808d14bad70", "status": "affected", "versionType": "git"}, {"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9", "lessThan": "dc608edf7d45ba0c2ad14c06eccd66474fec7847", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/staging/media/ipu3/ipu3-v4l2.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.87", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.18", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.4", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.0.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3"}, {"url": "https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556"}, {"url": "https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70"}, {"url": "https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847"}], "title": "ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\n\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\nwith a subdev state of NULL leads to a NULL pointer dereference. This\ncan currently happen in imgu_subdev_set_selection() when the state\npassed in is NULL, as this method first gets pointers to both the \"try\"\nand \"active\" states and only then decides which to use.\n\nThe same issue has been addressed for imgu_subdev_get_selection() with\ncommit 30d03a0de650 (\"ipu3-imgu: Fix NULL pointer dereference in active\nselection access\"). However the issue still persists in\nimgu_subdev_set_selection().\n\nTherefore, apply a similar fix as done in the aforementioned commit to\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\nhelper functions for \"crop\" and \"compose\" access and use them in both\nimgu_subdev_set_selection() and imgu_subdev_get_selection()."}], "id": "CVE-2022-50826", "lastModified": "2025-12-30T13:15:57.063", "metrics": {}, "published": "2025-12-30T13:15:57.063", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}