LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50543: RDMA/rxe: Fix mr->map double free

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double free rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x5d panic+0x19e/0x349 end_report.part.0+0x54/0x7c kasan_report.cold+0xa/0xf rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe] __rxe_cleanup+0x10a/0x1e0 [rdma_rxe] rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe] ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs] This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix memory leak in error path code") and then we fixed it in commit 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this fix was reverted together at last by commit 1e75550648da (Revert "RDMA/rxe: Create duplicate mapping tables for FMRs") Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is successfully allocated.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-50543 is a Linux kernel RDMA/rxe bug where an error path can free the same memory mapping twice. The public record shows a kernel panic during RDMA user memory registration failure. Business risk is mainly instability or denial of service on systems using the rxe Soft-RoCE RDMA driver.

Executive priority

Treat as targeted infrastructure hygiene unless RDMA/rxe is used in production. Patch affected kernels through normal maintenance, faster for multi-user compute, virtualization, lab, or storage environments where local kernel crashes have business impact.

Technical view

The flaw is in rxe_mr_cleanup() and rxe_mr_init_user() handling of mr->map. When user memory region initialization fails, cleanup may free mr->map again. The kernel fix centralizes freeing so rxe_mr_cleanup() handles mr->map only once after successful allocation.

Likely exposure

Exposure appears limited to Linux systems with the RDMA rxe driver and ib_uverbs path in use. The source bundle lists Linux kernel affected metadata including 6.0, 6.0.16, 6.1.2, and 6.2, but exact distro backport status must be checked separately.

Exploitation context

No CISA KEV listing or cited source in the bundle indicates active exploitation. The trace shows a crash in a KASAN-instrumented kernel during RDMA user memory registration error handling, but the bundle does not prove practical exploitation beyond kernel instability.

Researcher notes

The supplied record links the issue to commit b18c7da63fcb, a reverted earlier fix, and stable commits 6ce577f, 06f73568, and 7d984dac. Severity, CVSS, CWE, and exploitability details are absent, so conclusions should stay conservative.

Mitigation direction

  • Check vendor kernel advisories for patched packages or backports.
  • Prioritize updates on hosts using RDMA/rxe or ib_uverbs.
  • Disable or avoid loading rdma_rxe where not operationally required.
  • Restrict local access to RDMA user verbs devices where feasible.

Validation and detection

  • Inventory kernels and compare against vendor-fixed versions.
  • Check whether rdma_rxe and ib_uverbs modules are loaded.
  • Review whether applications rely on Soft-RoCE RDMA paths.
  • Confirm kernel package includes the referenced stable fixes.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50543 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1e75550648da1fa1cd1969e7597355de8fe8caf6, 1e75550648da1fa1cd1969e7597355de8fe8caf6, 1e75550648da1fa1cd1969e7597355de8fe8caf6, e004a35e8148ad9fc438b0479884641acf382896, 5.19.4unaffected
LinuxLinux6.0, 0, 6.0.16, 6.1.2, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.