{"id":"CVE-2022-50780","summary":"net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed\n\nWhen the ops_init() interface is invoked to initialize the net, but\nops-\u003einit() fails, data is released. However, the ptr pointer in\nnet-\u003egen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked\nto release the net, invalid address access occurs.\n\nThe process is as follows:\nsetup_net()\n\tops_init()\n\t\tdata = kzalloc(...)   ---\u003e alloc \"data\"\n\t\tnet_assign_generic()  ---\u003e assign \"date\" to ptr in net-\u003egen\n\t\t...\n\t\tops-\u003einit()           ---\u003e failed\n\t\t...\n\t\tkfree(data);          ---\u003e ptr in net-\u003egen is invalid\n\t...\n\tops_exit_list()\n\t\t...\n\t\tnfqnl_nf_hook_drop()\n\t\t\t*q = nfnl_queue_pernet(net) ---\u003e q is invalid\n\nThe following is the Call Trace information:\nBUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280\nRead of size 8 at addr ffff88810396b240 by task ip/15855\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x8e/0xd1\nprint_report+0x155/0x454\nkasan_report+0xba/0x1f0\nnfqnl_nf_hook_drop+0x264/0x280\nnf_queue_nf_hook_drop+0x8b/0x1b0\n__nf_unregister_net_hook+0x1ae/0x5a0\nnf_unregister_net_hooks+0xde/0x130\nops_exit_list+0xb0/0x170\nsetup_net+0x7ac/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\u003c/TASK\u003e\n\nAllocated by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0xa1/0xb0\n__kmalloc+0x49/0xb0\nops_init+0xe7/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x155/0x1b0\nslab_free_freelist_hook+0x11b/0x220\n__kmem_cache_free+0xa4/0x360\nops_init+0xb9/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0","modified":"2026-03-20T11:47:37.281277Z","published":"2025-12-24T13:06:08.552Z","related":["SUSE-SU-2026:0473-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50780.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50780.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50780"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f875bae065334907796da12523f9df85c89f5712"},{"fixed":"5a2ea549be94924364f6911227d99be86e8cf34a"},{"fixed":"97ad240fd9aa9214497d14af2b91608e20856cac"},{"fixed":"c3edc6e808209aa705185f732e682a370981ced1"},{"fixed":"a1e18acb0246bfb001b08b8b1b830b5ec92a0f13"},{"fixed":"4a4df5e78712de39d6f90d6a64b5eb48dca03bd5"},{"fixed":"d266935ac43d57586e311a087510fe6a084af742"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50780.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.33"},{"fixed":"4.19.264"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.223"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.153"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.77"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50780.json"}}],"schema_version":"1.7.5"}