In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]
This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix
memory leak in error path code") and then we fixed it in commit
8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this
fix was reverted together at last by commit 1e75550648da (Revert
"RDMA/rxe: Create duplicate mapping tables for FMRs")
Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is
successfully allocated.
Security readout for executives and security teams
Plain-English summary
CVE-2022-50543 is a Linux kernel RDMA/rxe bug where an error path can free the same memory mapping twice. The public record shows a kernel panic during RDMA user memory registration failure. Business risk is mainly instability or denial of service on systems using the rxe Soft-RoCE RDMA driver.
Executive priority
Treat as targeted infrastructure hygiene unless RDMA/rxe is used in production. Patch affected kernels through normal maintenance, faster for multi-user compute, virtualization, lab, or storage environments where local kernel crashes have business impact.
Technical view
The flaw is in rxe_mr_cleanup() and rxe_mr_init_user() handling of mr->map. When user memory region initialization fails, cleanup may free mr->map again. The kernel fix centralizes freeing so rxe_mr_cleanup() handles mr->map only once after successful allocation.
Likely exposure
Exposure appears limited to Linux systems with the RDMA rxe driver and ib_uverbs path in use. The source bundle lists Linux kernel affected metadata including 6.0, 6.0.16, 6.1.2, and 6.2, but exact distro backport status must be checked separately.
Exploitation context
No CISA KEV listing or cited source in the bundle indicates active exploitation. The trace shows a crash in a KASAN-instrumented kernel during RDMA user memory registration error handling, but the bundle does not prove practical exploitation beyond kernel instability.
Researcher notes
The supplied record links the issue to commit b18c7da63fcb, a reverted earlier fix, and stable commits 6ce577f, 06f73568, and 7d984dac. Severity, CVSS, CWE, and exploitability details are absent, so conclusions should stay conservative.
Mitigation direction
Check vendor kernel advisories for patched packages or backports.
Prioritize updates on hosts using RDMA/rxe or ib_uverbs.
Disable or avoid loading rdma_rxe where not operationally required.
Restrict local access to RDMA user verbs devices where feasible.
Validation and detection
Inventory kernels and compare against vendor-fixed versions.
Check whether rdma_rxe and ib_uverbs modules are loaded.
Review whether applications rely on Soft-RoCE RDMA paths.
Confirm kernel package includes the referenced stable fixes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50543 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 7, 2025, 15:21 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.