CVE-2022-50826 (GCVE-0-2022-50826)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
Title
ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
Summary
In the Linux kernel, the following vulnerability has been resolved: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < fa6bbb4894b9b947063c6ff90018a954c5f9f4b3 (git)
Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 611d617bdb6c5d636a9861ec1c98e813fc8a5556 (git)
Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 5038ee677606106c91564f9c4557d808d14bad70 (git)
Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < dc608edf7d45ba0c2ad14c06eccd66474fec7847 (git)
Create a notification for this product.
    Linux Linux Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/ipu3/ipu3-v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fa6bbb4894b9b947063c6ff90018a954c5f9f4b3",
              "status": "affected",
              "version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
              "versionType": "git"
            },
            {
              "lessThan": "611d617bdb6c5d636a9861ec1c98e813fc8a5556",
              "status": "affected",
              "version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
              "versionType": "git"
            },
            {
              "lessThan": "5038ee677606106c91564f9c4557d808d14bad70",
              "status": "affected",
              "version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
              "versionType": "git"
            },
            {
              "lessThan": "dc608edf7d45ba0c2ad14c06eccd66474fec7847",
              "status": "affected",
              "version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/media/ipu3/ipu3-v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\n\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\nwith a subdev state of NULL leads to a NULL pointer dereference. This\ncan currently happen in imgu_subdev_set_selection() when the state\npassed in is NULL, as this method first gets pointers to both the \"try\"\nand \"active\" states and only then decides which to use.\n\nThe same issue has been addressed for imgu_subdev_get_selection() with\ncommit 30d03a0de650 (\"ipu3-imgu: Fix NULL pointer dereference in active\nselection access\"). However the issue still persists in\nimgu_subdev_set_selection().\n\nTherefore, apply a similar fix as done in the aforementioned commit to\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\nhelper functions for \"crop\" and \"compose\" access and use them in both\nimgu_subdev_set_selection() and imgu_subdev_get_selection()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:38.950Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556"
        },
        {
          "url": "https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847"
        }
      ],
      "title": "ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50826",
    "datePublished": "2025-12-30T12:08:38.950Z",
    "dateReserved": "2025-12-30T12:06:07.131Z",
    "dateUpdated": "2025-12-30T12:08:38.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50826\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:15:57.063\",\"lastModified\":\"2025-12-31T20:43:05.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\\n\\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\\nwith a subdev state of NULL leads to a NULL pointer dereference. This\\ncan currently happen in imgu_subdev_set_selection() when the state\\npassed in is NULL, as this method first gets pointers to both the \\\"try\\\"\\nand \\\"active\\\" states and only then decides which to use.\\n\\nThe same issue has been addressed for imgu_subdev_get_selection() with\\ncommit 30d03a0de650 (\\\"ipu3-imgu: Fix NULL pointer dereference in active\\nselection access\\\"). However the issue still persists in\\nimgu_subdev_set_selection().\\n\\nTherefore, apply a similar fix as done in the aforementioned commit to\\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\\nhelper functions for \\\"crop\\\" and \\\"compose\\\" access and use them in both\\nimgu_subdev_set_selection() and imgu_subdev_get_selection().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.