{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50635", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-08T23:57:43.370Z", "datePublished": "2025-12-09T00:00:08.590Z", "dateUpdated": "2026-05-11T19:22:39.662Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:22:39.662Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n # echo 'p cmdline_proc_show' > kprobe_events\n # echo 'p cmdline_proc_show+16' >> kprobe_events\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000000050bfc\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006\n CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n ...\n NIP arch_prepare_kprobe+0x10c/0x2d0\n LR arch_prepare_kprobe+0xfc/0x2d0\n Call Trace:\n 0xc0000000012f77a0 (unreliable)\n register_kprobe+0x3c0/0x7a0\n __register_trace_kprobe+0x140/0x1a0\n __trace_kprobe_create+0x794/0x1040\n trace_probe_create+0xc4/0xe0\n create_or_delete_trace_kprobe+0x2c/0x80\n trace_parse_run_command+0xf0/0x210\n probes_write+0x20/0x40\n vfs_write+0xfc/0x450\n ksys_write+0x84/0x140\n system_call_exception+0x17c/0x3a0\n system_call_vectored_common+0xe8/0x278\n --- interrupt: 3000 at 0x7fffa5682de0\n NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000\n\nThe address being probed has some special:\n\n cmdline_proc_show: Probe based on ftrace\n cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n ...\n prev = get_kprobe(p->addr - 1);\n preempt_enable_no_resched();\n if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {\n ...\n\nIf prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur\nwith a null pointer reference. At this point prev->addr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'\nto fix this problem.\n\n[mpe: Trim oops]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/kernel/kprobes.c"], "versions": [{"version": "b4657f7650babc9bfb41ce875abe41b18604a105", "lessThan": "7f536a8cb62dd5c084f112373fc34cdb5168a813", "status": "affected", "versionType": "git"}, {"version": "b4657f7650babc9bfb41ce875abe41b18604a105", "lessThan": "4eac4f6a86ae73ef4b772d37398beeba2fbfde4e", "status": "affected", "versionType": "git"}, {"version": "b4657f7650babc9bfb41ce875abe41b18604a105", "lessThan": "5fd1b369387c53ee6c774ab86e32e362a1e537ac", "status": "affected", "versionType": "git"}, {"version": "b4657f7650babc9bfb41ce875abe41b18604a105", "lessThan": "97f88a3d723162781d6cbfdc7b9617eefab55b19", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/kernel/kprobes.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.75", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.17", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.3", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.19.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"}, {"url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"}, {"url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"}, {"url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"}], "title": "powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n # echo 'p cmdline_proc_show' > kprobe_events\n # echo 'p cmdline_proc_show+16' >> kprobe_events\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000000050bfc\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006\n CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n ...\n NIP arch_prepare_kprobe+0x10c/0x2d0\n LR arch_prepare_kprobe+0xfc/0x2d0\n Call Trace:\n 0xc0000000012f77a0 (unreliable)\n register_kprobe+0x3c0/0x7a0\n __register_trace_kprobe+0x140/0x1a0\n __trace_kprobe_create+0x794/0x1040\n trace_probe_create+0xc4/0xe0\n create_or_delete_trace_kprobe+0x2c/0x80\n trace_parse_run_command+0xf0/0x210\n probes_write+0x20/0x40\n vfs_write+0xfc/0x450\n ksys_write+0x84/0x140\n system_call_exception+0x17c/0x3a0\n system_call_vectored_common+0xe8/0x278\n --- interrupt: 3000 at 0x7fffa5682de0\n NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000\n\nThe address being probed has some special:\n\n cmdline_proc_show: Probe based on ftrace\n cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n ...\n prev = get_kprobe(p->addr - 1);\n preempt_enable_no_resched();\n if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {\n ...\n\nIf prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur\nwith a null pointer reference. At this point prev->addr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'\nto fix this problem.\n\n[mpe: Trim oops]"}], "id": "CVE-2022-50635", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2025-12-09T01:16:45.717", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()", "id": "2420274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420274"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\nI found a null pointer reference in arch_prepare_kprobe():\n# echo 'p cmdline_proc_show' > kprobe_events\n# echo 'p cmdline_proc_show+16' >> kprobe_events\nKernel attempted to read user page (0) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nFaulting instruction address: 0xc000000000050bfc\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\nModules linked in:\nCPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\nNIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\nREGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\nMSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006\nCFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n...\nNIP arch_prepare_kprobe+0x10c/0x2d0\nLR arch_prepare_kprobe+0xfc/0x2d0\nCall Trace:\n0xc0000000012f77a0 (unreliable)\nregister_kprobe+0x3c0/0x7a0\n__register_trace_kprobe+0x140/0x1a0\n__trace_kprobe_create+0x794/0x1040\ntrace_probe_create+0xc4/0xe0\ncreate_or_delete_trace_kprobe+0x2c/0x80\ntrace_parse_run_command+0xf0/0x210\nprobes_write+0x20/0x40\nvfs_write+0xfc/0x450\nksys_write+0x84/0x140\nsystem_call_exception+0x17c/0x3a0\nsystem_call_vectored_common+0xe8/0x278\n--- interrupt: 3000 at 0x7fffa5682de0\nNIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\nREGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\nMSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000\nThe address being probed has some special:\ncmdline_proc_show: Probe based on ftrace\ncmdline_proc_show+16: Probe for the next instruction at the ftrace location\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n...\nprev = get_kprobe(p->addr - 1);\npreempt_enable_no_resched();\nif (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {\n...\nIf prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur\nwith a null pointer reference. At this point prev->addr will not be a\nprefixed instruction, so the check can be skipped.\nCheck if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'\nto fix this problem.\n[mpe: Trim oops]"], "name": "CVE-2022-50635", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50635\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50635\nhttps://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50635-b2b8@gregkh/T"], "threat_severity": "Moderate"}

{}