LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50555: tipc: fix a null-ptr-deref in tipc_topsrv_accept

In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in tipc_topsrv_accept syzbot found a crash in tipc_topsrv_accept: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Workqueue: tipc_rcv tipc_topsrv_accept RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487 Call Trace: <TASK> tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 It was caused by srv->listener that might be set to null by tipc_topsrv_stop() in net .exit whereas it's still used in tipc_topsrv_accept() worker. srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to avoid the null-ptr-deref. To ensure the lsock is not released during the tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop() where it's waiting until the tipc_topsrv_accept worker to be done. Note that sk_callback_lock is used to protect sk->sk_user_data instead of srv->listener, and it should check srv in tipc_topsrv_listener_data_ready() instead. This also ensures that no more tipc_topsrv_accept worker will be started after tipc_conn_close() is called in tipc_topsrv_stop() where it sets sk->sk_user_data to null.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-50555 is a Linux kernel TIPC crash bug. A race can leave the TIPC topology server accept worker using a listener pointer after it was cleared, causing a null pointer dereference and kernel crash. The public record does not provide CVSS or evidence of active exploitation.

Executive priority

Handle through normal kernel patch governance, with faster attention for production systems using TIPC or requiring high availability. There is no public evidence of active exploitation in the supplied sources, but kernel crash bugs can create operational outages.

Technical view

The issue is in net/tipc/topsrv.c. tipc_topsrv_stop() can set srv->listener to null while tipc_topsrv_accept() still uses it. The kernel fix checks srv->listener under srv->idr_lock, moves sock_release() until after work shutdown, and tightens listener callback handling.

Likely exposure

Exposure appears limited to Linux systems running affected kernel versions with TIPC enabled or in use. The source bundle lists affected Linux kernel ranges and stable fix commits, but does not describe distribution package status or runtime defaults.

Exploitation context

No cited source says this is actively exploited, and KEV is false. Public evidence in the bundle describes a syzbot-discovered crash, not weaponized exploitation. Impact should be treated primarily as potential denial of service until vendor-specific advisories say more.

Researcher notes

The fix addresses lifetime and locking around srv->listener and workqueue shutdown in TIPC topology server code. The record lacks CVSS, CWE, exploit prerequisites, and distribution-specific package mapping, so exposure conclusions should be verified against deployed kernels and vendor advisories.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable fixes.
  • Check Linux distribution advisories for exact fixed package versions.
  • Disable or restrict TIPC where it is not required.
  • Prioritize systems where kernel crashes affect availability commitments.

Validation and detection

  • Inventory Linux kernel versions across servers and appliances.
  • Confirm whether TIPC support is enabled, loaded, or operationally required.
  • Map installed kernels to vendor advisories or referenced stable commits.
  • Review crash telemetry for matching TIPC null-pointer dereference traces.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50555 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux0ef897be12b8b4cf297b6016e79ec97ec90f2cf6, 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6, 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6, 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6, 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6, 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6unaffected
LinuxLinux4.17, 0, 4.19.264, 5.4.223, 5.10.153, 5.15.77, 6.0.7, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.