LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50073: net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null

In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null Fixes a NULL pointer derefence bug triggered from tap driver. When tap_get_user calls virtio_net_hdr_to_skb the skb->dev is null (in tap.c skb->dev is set after the call to virtio_net_hdr_to_skb) virtio_net_hdr_to_skb calls dev_parse_header_protocol which needs skb->dev field to be valid. The line that trigers the bug is in dev_parse_header_protocol (dev is at offset 0x10 from skb and is stored in RAX register) if (!dev->header_ops || !dev->header_ops->parse_protocol) 22e1: mov 0x10(%rbx),%rax 22e5: mov 0x230(%rax),%rax Setting skb->dev before the call in tap.c fixes the issue. BUG: kernel NULL pointer dereference, address: 0000000000000230 RIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap] Code: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48 RSP: 0018:ffffc90005c27c38 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010 RDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300 RBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8 R10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6 FS: 0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0 Call Trace: tap_get_user+0x3f1/0x540 [tap] tap_sendmsg+0x56/0x362 [tap] ? get_tx_bufs+0xc2/0x1e0 [vhost_net] handle_tx_copy+0x114/0x670 [vhost_net] handle_tx+0xb0/0xe0 [vhost_net] handle_tx_kick+0x15/0x20 [vhost_net] vhost_worker+0x7b/0xc0 [vhost] ? vhost_vring_call_reset+0x40/0x40 [vhost] kthread+0xfa/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-50073 is a Linux kernel bug in TAP networking. In affected kernels, a crafted or malformed path through virtual networking can hit a NULL pointer and crash kernel code. The business impact is most likely availability loss on systems using TAP or vhost-based virtual networking, but the public data does not provide a CVSS score.

Executive priority

Prioritize as a stability and availability risk for virtualization or network infrastructure. Because severity, exploitation, and privilege requirements are not established in the provided sources, handle through normal kernel patch governance unless local exposure to TAP/vhost workloads is high.

Technical view

The flaw occurs when tap_get_user calls virtio_net_hdr_to_skb before skb->dev is set. virtio_net_hdr_to_skb reaches dev_parse_header_protocol, which dereferences skb->dev and can trigger a kernel NULL pointer dereference. Kernel stable commits set skb->dev earlier in tap.c to resolve the crash condition.

Likely exposure

Exposure is most relevant to Linux systems using the kernel TAP driver and virtual networking paths such as vhost_net. The source bundle lists Linux kernel versions and stable commit references, but distribution-specific affected and fixed package versions are not provided.

Exploitation context

The bundle shows a kernel crash trace and marks CISA KEV as false. No cited source states active exploitation, public exploit availability, remote reachability, or privilege requirements. Treat exploitability details as incomplete until vendor or distribution advisories clarify them.

Researcher notes

Key evidence is the upstream kernel description and stable commit references. The affected-version data is not enough to map every distribution kernel safely. Further analysis should focus on commit ancestry, distro backports, and whether untrusted actors can reach TAP send paths in the target environment.

Mitigation direction

  • Update to a Linux kernel build containing the referenced stable fixes.
  • Check distribution advisories for CVE-2022-50073 backport status.
  • Prioritize hosts using TAP or vhost-based virtual networking.
  • Avoid assuming unaffected status from upstream versions alone; verify packaged kernels.

Validation and detection

  • Inventory Linux kernel versions across virtualized and networking-heavy hosts.
  • Check whether deployed kernels include the referenced stable commits.
  • Review crash logs for NULL dereferences in virtio_net_hdr_to_skb or tap_get_user.
  • Confirm distribution security trackers map your package version to this CVE.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50073 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxfaa3baa2828c5e1c4374f3e60041f75c64f5fcb6, 924a9bc362a5223cd448ca08c3dde21235adc310, 924a9bc362a5223cd448ca08c3dde21235adc310, 924a9bc362a5223cd448ca08c3dde21235adc310, ea3fb2ce5fa794d02135f5c079e05cd6fc3f545d, 54ef8243c3c8e90f1ea5792e6752e021a25c8eb3, ca278267d6cd9544645731732455b6b20cb0e895, 99b1d3f74b9ef72c2f74c8e4c078e1bc0706e748, 5.10.24, 4.14.226, 4.19.181, 5.4.106, 5.11.7unaffected
LinuxLinux5.12, 0, 5.10.258, 5.15.209, 5.19.4, 6.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.