In the Linux kernel, the following vulnerability has been resolved:
net: sched: sfb: fix null pointer access issue when sfb_init() fails
When the default qdisc is sfb, if the qdisc of dev_queue fails to be
inited during mqprio_init(), sfb_reset() is invoked to clear resources.
In this case, the q->qdisc is NULL, and it will cause gpf issue.
The process is as follows:
qdisc_create_dflt()
sfb_init()
tcf_block_get() --->failed, q->qdisc is NULL
...
qdisc_put()
...
sfb_reset()
qdisc_reset(q->qdisc) --->q->qdisc is NULL
ops = qdisc->ops
The following is the Call Trace information:
general protection fault, probably for non-canonical address
0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
RIP: 0010:qdisc_reset+0x2b/0x6f0
Call Trace:
<TASK>
sfb_reset+0x37/0xd0
qdisc_reset+0xed/0x6f0
qdisc_destroy+0x82/0x4c0
qdisc_put+0x9e/0xb0
qdisc_create_dflt+0x2c3/0x4a0
mqprio_init+0xa71/0x1760
qdisc_create+0x3eb/0x1000
tc_modify_qdisc+0x408/0x1720
rtnetlink_rcv_msg+0x38e/0xac0
netlink_rcv_skb+0x12d/0x3a0
netlink_unicast+0x4a2/0x740
netlink_sendmsg+0x826/0xcc0
sock_sendmsg+0xc5/0x100
____sys_sendmsg+0x583/0x690
___sys_sendmsg+0xe8/0x160
__sys_sendmsg+0xbf/0x160
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f2164122d04
</TASK>
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can let a local, authenticated user or process trigger a kernel crash condition in the traffic-control scheduler path. The documented impact is availability only: no confidentiality or integrity impact is claimed. It matters most for shared Linux systems where local users, containers, or services can reach the relevant networking configuration path.
Executive priority
Treat this as a routine but real availability risk. It is not described as remote code execution or data theft, but a local crash path can still affect uptime on shared Linux infrastructure. Patch through normal kernel maintenance, prioritizing exposed multi-user or container hosts.
Technical view
CVE-2022-50356 is a NULL pointer dereference in the Linux kernel sfb qdisc cleanup path. If sfb_init() fails during mqprio_init(), q->qdisc can remain NULL, and sfb_reset() later calls qdisc_reset(q->qdisc), causing a general protection fault. CVSS 3.1 is 5.5, local attack vector, low complexity, low privileges, and high availability impact.
Likely exposure
Exposure is limited to affected Linux kernels and local access paths. Risk is higher on multi-user hosts or environments where less-trusted local workloads can interact with traffic-control qdisc configuration. Network-only exposure is not indicated by the provided sources.
Exploitation context
The source bundle does not report active exploitation, and KEV is false. The described trigger is local and depends on a failure path involving default sfb qdisc creation during mqprio initialization. No public exploit steps are provided in the sources.
Researcher notes
The evidence supports CWE-476 and availability impact from NULL qdisc handling after sfb_init() failure. Version data in the bundle is incomplete without vendor package mapping, so confirm affected ranges through Linux stable commits and distribution advisories before declaring systems remediated.
Mitigation direction
Update to a kernel containing the referenced stable fixes or vendor backports.
Check Linux distribution advisories for the exact fixed package for your release.
Prioritize shared hosts, container platforms, and systems with untrusted local users.
Restrict unnecessary local access to networking traffic-control configuration paths.
Validation and detection
Inventory Linux kernel versions across affected systems.
Confirm whether the referenced stable commits or vendor backports are present.
Review kernel logs for related general protection faults in sfb_reset or qdisc_reset.
Map which hosts allow untrusted local users or workloads.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.