CVE-2022-50016

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot It is not yet clear, but it is possible to create a firmware so broken that it will send a reply message before a FW_READY message (it is not yet clear if FW_READY will arrive later). Since the reply_data is allocated only after the FW_READY message, this will lead to a NULL pointer dereference if not filtered out. The issue was reported with IPC4 firmware but the same condition is present for IPC3.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/230f646085d17a008b609eb8fe8befb8811868f0	Patch
https://git.kernel.org/stable/c/acacd9eefd0def5a83244d88e5483b5f38ee7287	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

14 Nov 2025, 17:06

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/230f646085d17a008b609eb8fe8befb8811868f0 -~~	() https://git.kernel.org/stable/c/230f646085d17a008b609eb8fe8befb8811868f0 - Patch
References	~~() https://git.kernel.org/stable/c/acacd9eefd0def5a83244d88e5483b5f38ee7287 -~~	() https://git.kernel.org/stable/c/acacd9eefd0def5a83244d88e5483b5f38ee7287 - Patch
First Time		Linux linux Kernel Linux

Information

Published : 2025-06-18 11:15

Updated : 2025-11-14 17:06

NVD link : CVE-2022-50016

Mitre link : CVE-2022-50016

CVE.ORG link : CVE-2022-50016

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2022-50016", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:29.700", "references": [{"url": "https://git.kernel.org/stable/c/230f646085d17a008b609eb8fe8befb8811868f0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acacd9eefd0def5a83244d88e5483b5f38ee7287", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot\n\nIt is not yet clear, but it is possible to create a firmware so broken\nthat it will send a reply message before a FW_READY message (it is not\nyet clear if FW_READY will arrive later).\nSince the reply_data is allocated only after the FW_READY message, this\nwill lead to a NULL pointer dereference if not filtered out.\n\nThe issue was reported with IPC4 firmware but the same condition is present\nfor IPC3."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: SOF: Intel: cnl: No procesar la respuesta de IPC antes del arranque del firmware. A\u00fan no est\u00e1 claro, pero es posible crear un firmware tan defectuoso que env\u00ede un mensaje de respuesta antes de un mensaje FW_READY (a\u00fan no se sabe si FW_READY llegar\u00e1 despu\u00e9s). Dado que los datos de respuesta se asignan solo despu\u00e9s del mensaje FW_READY, esto provocar\u00e1 una desreferencia de puntero nulo si no se filtra. El problema se report\u00f3 con el firmware IPC4, pero la misma condici\u00f3n se presenta para IPC3."}], "lastModified": "2025-11-14T17:06:58.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D135D164-F55B-4ED6-AC4A-9084482BFA6E", "versionEndExcluding": "5.19.4", "versionStartIncluding": "5.2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}