{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50221", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-06-18T10:57:27.430Z", "datePublished": "2025-06-18T11:03:56.096Z", "dateUpdated": "2026-05-11T19:15:09.235Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:15:09.235Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fb-helper: Fix out-of-bounds access\n\nClip memory range to screen-buffer size to avoid out-of-bounds access\nin fbdev deferred I/O's damage handling.\n\nFbdev's deferred I/O can only track pages. From the range of pages, the\ndamage handler computes the clipping rectangle for the display update.\nIf the fbdev screen buffer ends near the beginning of a page, that page\ncould contain more scanlines. The damage handler would then track these\nnon-existing scanlines as dirty and provoke an out-of-bounds access\nduring the screen update. Hence, clip the maximum memory range to the\nsize of the screen buffer.\n\nWhile at it, rename the variables min/max to min_off/max_off in\ndrm_fb_helper_deferred_io(). This avoids confusion with the macros of\nthe same name."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_fb_helper.c"], "versions": [{"version": "67b723f5b74254d27962b1b59bddfee1584575ff", "lessThan": "9c49ac792c639dbec0728b513329a32461f72253", "status": "affected", "versionType": "git"}, {"version": "67b723f5b74254d27962b1b59bddfee1584575ff", "lessThan": "ae25885bdf59fde40726863c57fd20e4a0642183", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_fb_helper.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.2", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "5.19.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9c49ac792c639dbec0728b513329a32461f72253"}, {"url": "https://git.kernel.org/stable/c/ae25885bdf59fde40726863c57fd20e4a0642183"}], "title": "drm/fb-helper: Fix out-of-bounds access", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DDA808D-1762-4306-BFCC-F1E9219F4F14", "versionEndExcluding": "5.19.2", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fb-helper: Fix out-of-bounds access\n\nClip memory range to screen-buffer size to avoid out-of-bounds access\nin fbdev deferred I/O's damage handling.\n\nFbdev's deferred I/O can only track pages. From the range of pages, the\ndamage handler computes the clipping rectangle for the display update.\nIf the fbdev screen buffer ends near the beginning of a page, that page\ncould contain more scanlines. The damage handler would then track these\nnon-existing scanlines as dirty and provoke an out-of-bounds access\nduring the screen update. Hence, clip the maximum memory range to the\nsize of the screen buffer.\n\nWhile at it, rename the variables min/max to min_off/max_off in\ndrm_fb_helper_deferred_io(). This avoids confusion with the macros of\nthe same name."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/fb-helper: Arregla el acceso fuera de los l\u00edmites Recorta el rango de memoria al tama\u00f1o del b\u00fafer de pantalla para evitar el acceso fuera de los l\u00edmites en el manejo de da\u00f1os de E/S diferidas de fbdev. La E/S diferida de fbdev solo puede rastrear p\u00e1ginas. A partir del rango de p\u00e1ginas, el controlador de da\u00f1os calcula el rect\u00e1ngulo de recorte para la actualizaci\u00f3n de la pantalla. Si el b\u00fafer de pantalla de fbdev termina cerca del principio de una p\u00e1gina, esa p\u00e1gina podr\u00eda contener m\u00e1s l\u00edneas de exploraci\u00f3n. El controlador de da\u00f1os rastrear\u00eda entonces estas l\u00edneas de exploraci\u00f3n inexistentes como sucias y provocar\u00eda un acceso fuera de los l\u00edmites durante la actualizaci\u00f3n de la pantalla. Por lo tanto, recorta el rango m\u00e1ximo de memoria al tama\u00f1o del b\u00fafer de pantalla. Mientras lo haces, cambia el nombre de las variables min/max a min_off/max_off en drm_fb_helper_deferred_io(). Esto evita confusiones con las macros del mismo nombre."}], "id": "CVE-2022-50221", "lastModified": "2025-11-19T12:58:57.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T11:15:53.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9c49ac792c639dbec0728b513329a32461f72253"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae25885bdf59fde40726863c57fd20e4a0642183"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/fb-helper: Fix out-of-bounds access", "id": "2373496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373496"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/fb-helper: Fix out-of-bounds access\nClip memory range to screen-buffer size to avoid out-of-bounds access\nin fbdev deferred I/O's damage handling.\nFbdev's deferred I/O can only track pages. From the range of pages, the\ndamage handler computes the clipping rectangle for the display update.\nIf the fbdev screen buffer ends near the beginning of a page, that page\ncould contain more scanlines. The damage handler would then track these\nnon-existing scanlines as dirty and provoke an out-of-bounds access\nduring the screen update. Hence, clip the maximum memory range to the\nsize of the screen buffer.\nWhile at it, rename the variables min/max to min_off/max_off in\ndrm_fb_helper_deferred_io(). This avoids confusion with the macros of\nthe same name."], "name": "CVE-2022-50221", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50221\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50221\nhttps://lore.kernel.org/linux-cve-announce/2025061847-CVE-2022-50221-1b80@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-06-23T08:53:47.065209+00:00", "updated": "2025-06-23T08:53:47.065259+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}