DEBIAN-CVE-2022-50044

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2022-50044
Published: 18 Jun 2025, 11:15
Last modified:28 Apr 2026, 20:25

Vulnerability Summary

Overall Risk (default)
low
19/100
CVSS Score
4.7 MEDIUM
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

18 Jun 2025, 11:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:25
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: start MHI channel after endpoit creation MHI channel may generates event/interrupt right after enabling. It may leads to 2 race conditions issues. 1) Such event may be dropped by qcom_mhi_qrtr_dl_callback() at check: if (!qdev || mhi_res->transaction_status) return; Because dev_set_drvdata(&mhi_dev->dev, qdev) may be not performed at this moment. In this situation qrtr-ns will be unable to enumerate services in device. --------------------------------------------------------------- 2) Such event may come at the moment after dev_set_drvdata() and before qrtr_endpoint_register(). In this case kernel will panic with accessing wrong pointer at qcom_mhi_qrtr_dl_callback(): rc = qrtr_endpoint_post(&qdev->ep, mhi_res->buf_addr, mhi_res->bytes_xferd); Because endpoint is not created yet. -------------------------------------------------------------- So move mhi_prepare_for_transfer_autoqueue after endpoint creation to fix it.

CVSS Metrics

  • v3.1MEDIUMScore: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Systems

  • debianlinux

    < 6.0.2-1 | < 6.0.2-1 | < 6.0.2-1

References (1)