{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50256", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T13:58:00.973Z", "datePublished": "2025-09-15T14:02:39.052Z", "dateUpdated": "2026-05-11T19:15:48.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:15:48.068Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: remove drm bridges at aggregate driver unbind time\n\ndrm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init\nwere not manually removed at module unload time, which caused dangling\nreferences to freed memory to remain linked in the global bridge_list.\n\nWhen loading the driver modules back in, the same functions would again\ncall drm_bridge_add, and when traversing the global bridge_list, would\nend up peeking into freed memory.\n\nOnce again KASAN revealed the problem:\n\n[ +0.000095] =============================================================\n[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120\n[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483\n\n[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000006] dump_backtrace+0x1ec/0x280\n[ +0.000012] show_stack+0x24/0x80\n[ +0.000008] dump_stack_lvl+0x98/0xd4\n[ +0.000011] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000008] kasan_report+0xb8/0xfc\n[ +0.000008] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] __list_add_valid+0x9c/0x120\n[ +0.000009] drm_bridge_add+0x6c/0x104 [drm]\n[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]\n[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]\n[ +0.000014] component_bind+0x174/0x520\n[ +0.000012] component_bind_all+0x1a8/0x38c\n[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]\n[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]\n[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390\n[ +0.000010] component_master_add_with_match+0x1c8/0x284\n[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]\n[ +0.000026] platform_probe+0xd0/0x220\n[ +0.000009] really_probe+0x3ac/0xa80\n[ +0.000009] __driver_probe_device+0x1f8/0x400\n[ +0.000009] driver_probe_device+0x68/0x1b0\n[ +0.000009] __driver_attach+0x20c/0x480\n[ +0.000008] bus_for_each_dev+0x114/0x1b0\n[ +0.000009] driver_attach+0x48/0x64\n[ +0.000008] bus_add_driver+0x390/0x564\n[ +0.000009] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]\n[ +0.000027] do_one_initcall+0xc4/0x2b0\n[ +0.000011] do_init_module+0x154/0x570\n[ +0.000011] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000009] __arm64_sys_init_module+0x78/0xb0\n[ +0.000009] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000012] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000016] Allocated by task 879:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000011] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc+0x278/0x4a0\n[ +0.000011] mpi_resize+0x13c/0x1d0\n[ +0.000011] mpi_powm+0xd24/0x1570\n[ +0.000009] rsa_enc+0x1a4/0x30c\n[ +0.000009] pkcs1pad_verify+0x3f0/0x580\n[ +0.000009] public_key_verify_signature+0x7a8/0xba4\n[ +0.000010] public_key_verify_signature_2+0x40/0x60\n[ +0.000008] verify_signature+0xb4/0x114\n[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574\n[ +0.000009] pkcs7_validate_trust+0xb8/0x15c\n[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0\n[ +0.000012] verify_pkcs7_signature+0x78/0xac\n[ +0.000007] mod_verify_sig+0x110/0x190\n[ +0.000009] module_sig_check+0x114/0x1e0\n[ +0.000009] load_module+0xa0/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/meson/meson_drv.c", "drivers/gpu/drm/meson/meson_drv.h", "drivers/gpu/drm/meson/meson_encoder_cvbs.c", "drivers/gpu/drm/meson/meson_encoder_cvbs.h", "drivers/gpu/drm/meson/meson_encoder_hdmi.c", "drivers/gpu/drm/meson/meson_encoder_hdmi.h"], "versions": [{"version": "bbbe775ec5b5dace43a35886da9924837da09ddd", "lessThan": "de2b6ebe0cb7746b5b6b35d79e150d934392b958", "status": "affected", "versionType": "git"}, {"version": "bbbe775ec5b5dace43a35886da9924837da09ddd", "lessThan": "fc1fd114dde3d2623ac37676df3d74ffeedb0da8", "status": "affected", "versionType": "git"}, {"version": "bbbe775ec5b5dace43a35886da9924837da09ddd", "lessThan": "09847723c12fc2753749cec3939a02ee92dac468", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/meson/meson_drv.c", "drivers/gpu/drm/meson/meson_drv.h", "drivers/gpu/drm/meson/meson_encoder_cvbs.c", "drivers/gpu/drm/meson/meson_encoder_cvbs.h", "drivers/gpu/drm/meson/meson_encoder_hdmi.c", "drivers/gpu/drm/meson/meson_encoder_hdmi.h"], "versions": [{"version": "4.10", "status": "affected"}, {"version": "0", "lessThan": "4.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.17", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.3", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "5.19.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958"}, {"url": "https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8"}, {"url": "https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468"}], "title": "drm/meson: remove drm bridges at aggregate driver unbind time", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D9E41A0-73E6-47EF-B833-DBA6045CECFB", "versionEndExcluding": "5.19.17", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF", "versionEndExcluding": "6.0.3", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: remove drm bridges at aggregate driver unbind time\n\ndrm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init\nwere not manually removed at module unload time, which caused dangling\nreferences to freed memory to remain linked in the global bridge_list.\n\nWhen loading the driver modules back in, the same functions would again\ncall drm_bridge_add, and when traversing the global bridge_list, would\nend up peeking into freed memory.\n\nOnce again KASAN revealed the problem:\n\n[ +0.000095] =============================================================\n[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120\n[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483\n\n[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000006] dump_backtrace+0x1ec/0x280\n[ +0.000012] show_stack+0x24/0x80\n[ +0.000008] dump_stack_lvl+0x98/0xd4\n[ +0.000011] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000008] kasan_report+0xb8/0xfc\n[ +0.000008] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] __list_add_valid+0x9c/0x120\n[ +0.000009] drm_bridge_add+0x6c/0x104 [drm]\n[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]\n[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]\n[ +0.000014] component_bind+0x174/0x520\n[ +0.000012] component_bind_all+0x1a8/0x38c\n[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]\n[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]\n[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390\n[ +0.000010] component_master_add_with_match+0x1c8/0x284\n[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]\n[ +0.000026] platform_probe+0xd0/0x220\n[ +0.000009] really_probe+0x3ac/0xa80\n[ +0.000009] __driver_probe_device+0x1f8/0x400\n[ +0.000009] driver_probe_device+0x68/0x1b0\n[ +0.000009] __driver_attach+0x20c/0x480\n[ +0.000008] bus_for_each_dev+0x114/0x1b0\n[ +0.000009] driver_attach+0x48/0x64\n[ +0.000008] bus_add_driver+0x390/0x564\n[ +0.000009] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]\n[ +0.000027] do_one_initcall+0xc4/0x2b0\n[ +0.000011] do_init_module+0x154/0x570\n[ +0.000011] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000009] __arm64_sys_init_module+0x78/0xb0\n[ +0.000009] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000012] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000016] Allocated by task 879:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000011] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc+0x278/0x4a0\n[ +0.000011] mpi_resize+0x13c/0x1d0\n[ +0.000011] mpi_powm+0xd24/0x1570\n[ +0.000009] rsa_enc+0x1a4/0x30c\n[ +0.000009] pkcs1pad_verify+0x3f0/0x580\n[ +0.000009] public_key_verify_signature+0x7a8/0xba4\n[ +0.000010] public_key_verify_signature_2+0x40/0x60\n[ +0.000008] verify_signature+0xb4/0x114\n[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574\n[ +0.000009] pkcs7_validate_trust+0xb8/0x15c\n[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0\n[ +0.000012] verify_pkcs7_signature+0x78/0xac\n[ +0.000007] mod_verify_sig+0x110/0x190\n[ +0.000009] module_sig_check+0x114/0x1e0\n[ +0.000009] load_module+0xa0/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64\n---truncated---"}], "id": "CVE-2022-50256", "lastModified": "2025-11-25T16:52:25.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-09-15T14:15:36.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/meson: remove drm bridges at aggregate driver unbind time", "id": "2395357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395357"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2022-50256", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50256\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50256\nhttps://lore.kernel.org/linux-cve-announce/2025091550-CVE-2022-50256-069f@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-09-17T10:08:17.876214+00:00", "updated": "2025-09-17T10:08:17.876274+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}