CVE-2022-50506 — Vulnetix

Try Vulnetix Request Demo

CVE-2022-50506 PUBLISHED CVSS 5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: drbd: only clone bio if we have a backing device Commit c347a787e34cb (drbd: set ->bi_bdev in drbd_req_new) moved a bio_set_dev call (which has since been removed) to "earlier", from drbd_request_prepare to drbd_req_new. The problem is that this accesses device->ldev->backing_bdev, which is not NULL-checked at this point. When we don't have an ldev (i.e. when the DRBD device is diskless), this leads to a null pointer deref. So, only allocate the private_bio if we actually have a disk. This is also a small optimization, since we don't clone the bio to only to immediately free it again in the diskless case.

EPSS 0.02% · 4.7th percentile

Risk Scores

CVSS v3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.02%

4.7th percentile

Affected Products

Vendor	Product	Versions
linux	linux_kernel	5.18, 5.18, 5.18
Linux	Linux	6.0.6, c347a787e34cba0e5a80a04082dacaf259105605, 6.1

Timeline

Oct 4, 2025 CVE Published
Oct 5, 2025 EPSS Score
Oct 11, 2025 EPSS Score
Oct 17, 2025 EPSS Score
Oct 23, 2025 EPSS Score
Oct 29, 2025 EPSS Score
Nov 3, 2025 EPSS Score
Nov 9, 2025 EPSS Score
Nov 15, 2025 EPSS Score
Nov 21, 2025 EPSS Score
Nov 27, 2025 EPSS Score
Dec 3, 2025 EPSS Score

References

Open in Interactive Console →