CVE-2022-50555: tipc: fix a null-ptr-deref in tipc_topsrv_accept
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix a null-ptr-deref in tipc_topsrv_accept
syzbot found a crash in tipc_topsrv_accept:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Workqueue: tipc_rcv tipc_topsrv_accept
RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487
Call Trace:
<TASK>
tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
It was caused by srv->listener that might be set to null by
tipc_topsrv_stop() in net .exit whereas it's still used in
tipc_topsrv_accept() worker.
srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add
a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to
avoid the null-ptr-deref. To ensure the lsock is not released during the
tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()
where it's waiting until the tipc_topsrv_accept worker to be done.
Note that sk_callback_lock is used to protect sk->sk_user_data instead of
srv->listener, and it should check srv in tipc_topsrv_listener_data_ready()
instead. This also ensures that no more tipc_topsrv_accept worker will be
started after tipc_conn_close() is called in tipc_topsrv_stop() where it
sets sk->sk_user_data to null.
Security readout for executives and security teams
Plain-English summary
CVE-2022-50555 is a Linux kernel TIPC crash bug. A race can leave the TIPC topology server accept worker using a listener pointer after it was cleared, causing a null pointer dereference and kernel crash. The public record does not provide CVSS or evidence of active exploitation.
Executive priority
Handle through normal kernel patch governance, with faster attention for production systems using TIPC or requiring high availability. There is no public evidence of active exploitation in the supplied sources, but kernel crash bugs can create operational outages.
Technical view
The issue is in net/tipc/topsrv.c. tipc_topsrv_stop() can set srv->listener to null while tipc_topsrv_accept() still uses it. The kernel fix checks srv->listener under srv->idr_lock, moves sock_release() until after work shutdown, and tightens listener callback handling.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with TIPC enabled or in use. The source bundle lists affected Linux kernel ranges and stable fix commits, but does not describe distribution package status or runtime defaults.
Exploitation context
No cited source says this is actively exploited, and KEV is false. Public evidence in the bundle describes a syzbot-discovered crash, not weaponized exploitation. Impact should be treated primarily as potential denial of service until vendor-specific advisories say more.
Researcher notes
The fix addresses lifetime and locking around srv->listener and workqueue shutdown in TIPC topology server code. The record lacks CVSS, CWE, exploit prerequisites, and distribution-specific package mapping, so exposure conclusions should be verified against deployed kernels and vendor advisories.
Mitigation direction
Update to a vendor kernel containing the referenced stable fixes.
Check Linux distribution advisories for exact fixed package versions.
Disable or restrict TIPC where it is not required.
Prioritize systems where kernel crashes affect availability commitments.
Validation and detection
Inventory Linux kernel versions across servers and appliances.
Confirm whether TIPC support is enabled, loaded, or operationally required.
Map installed kernels to vendor advisories or referenced stable commits.
Review crash telemetry for matching TIPC null-pointer dereference traces.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50555 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 7, 2025, 15:21 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.