CVE-2022-21546 (GCVE-0-2022-21546)

Vulnerability from cvelistv5 – Published: 2025-05-02 21:52 – Updated: 2025-11-03 17:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_SAME No Data Buffer crash In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. This patch adds a check for the NDOB bit in the common WRITE SAME code because we don't support it. And, it adds a check for zero SG elements in each handler in case the initiator tries to send a normal WRITE SAME with no data buffer.
Severity ?
No CVSS data available.
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 54e57be2573cf0b8bf650375fd8752987b6c3d3b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d8e6a27e9238dd294d6f2f401655f300dca20899 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4226622647e3e5ac06d3ebc1605b917446157510 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ccd3f449052449a917a3e577d8ba0368f43b8f29 (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.182 , ≤ 5.15.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21546",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T15:06:53.886424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T15:07:03.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:30:59.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/target_core_file.c",
            "drivers/target/target_core_iblock.c",
            "drivers/target/target_core_sbc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "54e57be2573cf0b8bf650375fd8752987b6c3d3b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d8e6a27e9238dd294d6f2f401655f300dca20899",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4226622647e3e5ac06d3ebc1605b917446157510",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ccd3f449052449a917a3e577d8ba0368f43b8f29",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/target_core_file.c",
            "drivers/target/target_core_iblock.c",
            "drivers/target/target_core_sbc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix WRITE_SAME No Data Buffer crash\n\nIn newer version of the SBC specs, we have a NDOB bit that indicates there\nis no data buffer that gets written out. If this bit is set using commands\nlike \"sg_write_same --ndob\" we will crash in target_core_iblock/file\u0027s\nexecute_write_same handlers when we go to access the se_cmd-\u003et_data_sg\nbecause its NULL.\n\nThis patch adds a check for the NDOB bit in the common WRITE SAME code\nbecause we don\u0027t support it. And, it adds a check for zero SG elements in\neach handler in case the initiator tries to send a normal WRITE SAME with\nno data buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:11.788Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/54e57be2573cf0b8bf650375fd8752987b6c3d3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8e6a27e9238dd294d6f2f401655f300dca20899"
        },
        {
          "url": "https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccd3f449052449a917a3e577d8ba0368f43b8f29"
        }
      ],
      "title": "scsi: target: Fix WRITE_SAME No Data Buffer crash",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2022-21546",
    "datePublished": "2025-05-02T21:52:09.864Z",
    "dateReserved": "2021-11-15T19:29:08.898Z",
    "dateUpdated": "2025-11-03T17:30:59.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-21546\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-02T22:15:15.290\",\"lastModified\":\"2025-11-10T17:37:14.470\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: target: Fix WRITE_SAME No Data Buffer crash\\n\\nIn newer version of the SBC specs, we have a NDOB bit that indicates there\\nis no data buffer that gets written out. If this bit is set using commands\\nlike \\\"sg_write_same --ndob\\\" we will crash in target_core_iblock/file\u0027s\\nexecute_write_same handlers when we go to access the se_cmd-\u003et_data_sg\\nbecause its NULL.\\n\\nThis patch adds a check for the NDOB bit in the common WRITE SAME code\\nbecause we don\u0027t support it. And, it adds a check for zero SG elements in\\neach handler in case the initiator tries to send a normal WRITE SAME with\\nno data buffer.\"},{\"lang\":\"es\",\"value\":\"En versiones m\u00e1s recientes de las especificaciones de SBC, tenemos un bit NDOB que indica que no hay b\u00fafer de datos que se escriba. Si este bit se activa mediante comandos como \\\"sg_write_same --ndob\\\", se producir\u00e1 un fallo en los controladores \\\"execute_write_same\\\" de target_core_iblock/file al acceder a se_cmd-\u0026gt;t_data_sg, ya que es nulo. Puntuaci\u00f3n base de CVSS 3.1: 7.7 (Afecta a la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.4.294\",\"matchCriteriaId\":\"093AFCC1-07FE-4A32-A1F0-9B1F9197071E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.238\",\"matchCriteriaId\":\"0DAAEF7F-D560-47FC-8B65-20404DB82432\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.182\",\"matchCriteriaId\":\"57E76AE8-79D9-4EC8-9845-9A86B1ED152E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.19\",\"matchCriteriaId\":\"56DE5611-29D8-45E0-B14B-E4D1187A6BEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8C30C2D-F82D-4D37-AB48-D76ABFBD5377\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF8547FC-C849-4F1B-804B-A93AE2F04A92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3068028-F453-4A1C-B80F-3F5609ACEF60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E9C0DB0-D349-489F-A3D6-B77214E93A8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A0DE3B7-0FFB-45AA-9BD6-19870CA7C6FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"00AE778B-BAEE-49EB-9F84-003B73D7862A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/54e57be2573cf0b8bf650375fd8752987b6c3d3b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ccd3f449052449a917a3e577d8ba0368f43b8f29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d8e6a27e9238dd294d6f2f401655f300dca20899\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T17:30:59.924Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-21546\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T15:06:53.886424Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T15:06:19.321Z\"}}], \"cna\": {\"title\": \"scsi: target: Fix WRITE_SAME No Data Buffer crash\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"54e57be2573cf0b8bf650375fd8752987b6c3d3b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"d8e6a27e9238dd294d6f2f401655f300dca20899\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"4226622647e3e5ac06d3ebc1605b917446157510\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"ccd3f449052449a917a3e577d8ba0368f43b8f29\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/target/target_core_file.c\", \"drivers/target/target_core_iblock.c\", \"drivers/target/target_core_sbc.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"5.4.294\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.238\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.182\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.19\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/target/target_core_file.c\", \"drivers/target/target_core_iblock.c\", \"drivers/target/target_core_sbc.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/54e57be2573cf0b8bf650375fd8752987b6c3d3b\"}, {\"url\": \"https://git.kernel.org/stable/c/d8e6a27e9238dd294d6f2f401655f300dca20899\"}, {\"url\": \"https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510\"}, {\"url\": \"https://git.kernel.org/stable/c/ccd3f449052449a917a3e577d8ba0368f43b8f29\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: target: Fix WRITE_SAME No Data Buffer crash\\n\\nIn newer version of the SBC specs, we have a NDOB bit that indicates there\\nis no data buffer that gets written out. If this bit is set using commands\\nlike \\\"sg_write_same --ndob\\\" we will crash in target_core_iblock/file\u0027s\\nexecute_write_same handlers when we go to access the se_cmd-\u003et_data_sg\\nbecause its NULL.\\n\\nThis patch adds a check for the NDOB bit in the common WRITE SAME code\\nbecause we don\u0027t support it. And, it adds a check for zero SG elements in\\neach handler in case the initiator tries to send a normal WRITE SAME with\\nno data buffer.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.294\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.238\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.182\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.19\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-06-04T12:57:11.788Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-21546\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T17:30:59.924Z\", \"dateReserved\": \"2021-11-15T19:29:08.898Z\", \"assignerOrgId\": \"43595867-4340-4103-b7a2-9a5208d29a85\", \"datePublished\": \"2025-05-02T21:52:09.864Z\", \"assignerShortName\": \"oracle\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.