Security readout for executives and security teams
Plain-English summary
This is a Linux kernel issue limited to LoongArch CPU information handling. Reading /proc/cpuinfo can trigger a kernel warning under specific debug and CPU mask configurations. The provided sources do not show data theft, privilege escalation, remote attack, or active exploitation.
Executive priority
Treat this as routine kernel maintenance unless LoongArch systems are operationally important or logs show instability. There is no source-backed evidence of active exploitation or high-impact security abuse.
Technical view
LoongArch show_cpuinfo iterated CPUs using NR_CPUS instead of nr_cpu_ids when CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS were enabled. That could trigger cpu_max_bits_warn() during /proc/cpuinfo reads. The fix changes iteration to the runtime CPU limit.
Likely exposure
Exposure appears limited to Linux systems on LoongArch hardware with the relevant kernel versions and configuration options enabled. General Linux deployments on other architectures are not indicated as affected by the provided sources.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of exploitation. The described behavior is a runtime warning during /proc/cpuinfo access, not an exploit path or security boundary bypass in the supplied evidence.
Researcher notes
The core defect is bounds selection in CPU mask iteration for LoongArch cpuinfo display. Evidence is narrow: affected metadata, warning trace, and two stable commit references. No CVSS, CWE, exploit status, or distribution-specific advisories are provided.
Mitigation direction
Review Linux vendor guidance for your distribution and LoongArch kernel packages.
Update to a kernel containing the referenced stable fixes where applicable.
Prioritize LoongArch systems running affected 5.19-era or 6.0 kernel metadata entries.
If patching is delayed, monitor kernel logs for repeated cpuinfo warnings.
Validation and detection
Inventory LoongArch Linux systems and their running kernel versions.
Check whether CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are enabled.
Confirm downstream kernel packages include the referenced stable commits.
Review dmesg or system logs for show_cpuinfo cpu_max_bits_warn messages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50223 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.