CVE-2022-50114: net: 9p: fix refcount leak in p9_read_work() error handling
In the Linux kernel, the following vulnerability has been resolved:
net: 9p: fix refcount leak in p9_read_work() error handling
p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid
temporary refcount leak.
[Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]
Security readout for executives and security teams
Plain-English summary
CVE-2022-50114 is a Linux kernel 9p networking bug where an error path failed to release a request reference. The public record describes a temporary refcount leak, but does not provide CVSS, CWE, exploit evidence, or business impact details.
Executive priority
Treat as a routine kernel maintenance item unless your environment depends on Linux 9p functionality. Urgency is constrained by missing severity data and no cited exploitation evidence.
Technical view
In net/9p p9_read_work() error handling, p9_req_put() must be called when m->rreq->rc.sdata is NULL. Without that release, the kernel can temporarily leak a request reference. Linux stable commits are listed as the remediation sources.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the 9p networking code present and relevant to workloads. The source bundle does not specify required configuration, attack prerequisites, or affected distributions.
Exploitation context
No active exploitation is supported by the provided sources. The CVE is not marked KEV, and the bundle contains no public exploit status, attack path, or proof-of-concept reference.
Researcher notes
The record is sparse: no CVSS, CWE, exploit status, or deployment prerequisites are provided. Analysis should focus on the p9_read_work() NULL sdata error path and whether downstream kernels backported the p9_req_put() fix.
Mitigation direction
Review vendor Linux kernel advisories for your distribution.
Update to a kernel containing the listed stable fixes.
Prioritize systems using or exposing Linux 9p functionality.
Track this as unknown severity until vendor scoring is available.
Validation and detection
Inventory Linux kernel versions across production systems.
Check whether 9p-related kernel functionality is enabled or used.
Compare installed kernel fixes against the referenced stable commits.
Confirm distribution packages include the upstream correction.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50114 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
6Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:02 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.