CVE-2022-50167

In the Linux kernel, the following vulnerability has been resolved: bpf: fix potential 32-bit overflow when accessing ARRAY map element If BPF array map is bigger than 4GB, element pointer calculation can overflow because both index and elem_size are u32. Fix this everywhere by forcing 64-bit multiplication. Extract this formula into separate small helper and use it consistently in various places. Speculative-preventing formula utilizing index_mask trick is left as is, but explicit u64 casts are added in both places.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/063e092534d4c6785228e5b1eb6e9329f66ccbe4	Patch
https://git.kernel.org/stable/c/3c7256b880b3a5aa1895fd169a34aa4224a11862	Patch
https://git.kernel.org/stable/c/87ac0d600943994444e24382a87aa19acc4cd3d4	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

17 Nov 2025, 19:48

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-190
CPE		cpe:2.3:o:linux:linux_kernel::::::::
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/063e092534d4c6785228e5b1eb6e9329f66ccbe4 -~~	() https://git.kernel.org/stable/c/063e092534d4c6785228e5b1eb6e9329f66ccbe4 - Patch
References	~~() https://git.kernel.org/stable/c/3c7256b880b3a5aa1895fd169a34aa4224a11862 -~~	() https://git.kernel.org/stable/c/3c7256b880b3a5aa1895fd169a34aa4224a11862 - Patch
References	~~() https://git.kernel.org/stable/c/87ac0d600943994444e24382a87aa19acc4cd3d4 -~~	() https://git.kernel.org/stable/c/87ac0d600943994444e24382a87aa19acc4cd3d4 - Patch

Information

Published : 2025-06-18 11:15

Updated : 2025-11-17 19:48

NVD link : CVE-2022-50167

Mitre link : CVE-2022-50167

CVE.ORG link : CVE-2022-50167

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2022-50167", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:47.010", "references": [{"url": "https://git.kernel.org/stable/c/063e092534d4c6785228e5b1eb6e9329f66ccbe4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c7256b880b3a5aa1895fd169a34aa4224a11862", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87ac0d600943994444e24382a87aa19acc4cd3d4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix potential 32-bit overflow when accessing ARRAY map element\n\nIf BPF array map is bigger than 4GB, element pointer calculation can\noverflow because both index and elem_size are u32. Fix this everywhere\nby forcing 64-bit multiplication. Extract this formula into separate\nsmall helper and use it consistently in various places.\n\nSpeculative-preventing formula utilizing index_mask trick is left as is,\nbut explicit u64 casts are added in both places."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: se corrige un posible desbordamiento de 32 bits al acceder al elemento del mapa de matriz. Si el mapa de matriz BPF supera los 4 GB, el c\u00e1lculo del puntero del elemento puede desbordarse, ya que tanto el \u00edndice como el tama\u00f1o de elem son u32. Se corrige este problema en todas partes forzando la multiplicaci\u00f3n de 64 bits. Se extrae esta f\u00f3rmula en un peque\u00f1o ayudante independiente y se usa de forma consistente en varios lugares. La f\u00f3rmula que evita la especulaci\u00f3n mediante el truco de index_mask se mantiene sin cambios, pero se a\u00f1aden conversiones u64 expl\u00edcitas en ambos lugares."}], "lastModified": "2025-11-17T19:48:41.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B02C474E-3473-42B0-8C3A-FE88F36ABE5A", "versionEndExcluding": "5.18.18", "versionStartIncluding": "5.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1A2A5A5-4598-4D7E-BA07-4660398D6C8F", "versionEndExcluding": "5.19.2", "versionStartIncluding": "5.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}