CVE-2022-50390

EUVD-2025-29977

18.09.2025, 14:15

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED

Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
 <TASK>
 dump_stack_lvl+0x7d/0xa5
 dump_stack+0x15/0x1b
 ubsan_epilogue+0xe/0x4e
 __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
 ttm_bo_move_memcpy+0x3b4/0x460 [ttm]
 bo_driver_move+0x32/0x40 [drm_vram_helper]
 ttm_bo_handle_move_mem+0x118/0x200 [ttm]
 ttm_bo_validate+0xfa/0x220 [ttm]
 drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]
 drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]
 drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]
 drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]
 drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]
 drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]
 drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]
 drm_atomic_commit+0x9c/0x160 [drm]
 drm_client_modeset_commit_atomic+0x33a/0x380 [drm]
 drm_client_modeset_commit_locked+0x77/0x220 [drm]
 drm_client_modeset_commit+0x31/0x60 [drm]
 __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]
 drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]
 fbcon_init+0x316/0x790
 visual_init+0x113/0x1d0
 do_bind_con_driver+0x2a3/0x5c0
 do_take_over_console+0xa9/0x270
 do_fbcon_takeover+0xa1/0x170
 do_fb_registered+0x2a8/0x340
 fbcon_fb_registered+0x47/0xe0
 register_framebuffer+0x294/0x4a0
 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
 drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
 drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
 drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
 bochs_pci_probe+0x6ca/0x772 [bochs]
 local_pci_probe+0x4d/0xb0
 pci_device_probe+0x119/0x320
 really_probe+0x181/0x550
 __driver_probe_device+0xc6/0x220
 driver_probe_device+0x32/0x100
 __driver_attach+0x195/0x200
 bus_for_each_dev+0xbb/0x120
 driver_attach+0x27/0x30
 bus_add_driver+0x22e/0x2f0
 driver_register+0xa9/0x190
 __pci_register_driver+0x90/0xa0
 bochs_pci_driver_init+0x52/0x1000 [bochs]
 do_one_initcall+0x76/0x430
 do_init_module+0x61/0x28a
 load_module+0x1f82/0x2e50
 __do_sys_finit_module+0xf8/0x190
 __x64_sys_finit_module+0x23/0x30
 do_syscall_64+0x58/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
 </TASK>

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.10 ≤ 𝑥 < 6.0.16
linux	linux_kernel	6.1 ≤ 𝑥 < 6.1.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.148-1 fixed
bookworm (security)	6.1.147-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	6.16.7-1 fixed
sid	6.16.7-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.41-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

dlm-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-64kb

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-default-base

suse enterprise server 15 SP5

5.14.21-150500.55.124.1.150500.6.59.1

fixed

kernel-docs

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-macros

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-obs-build

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-source

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-syms

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

kernel-zfcpdump

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

ocfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.124.1

fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

bpftool

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:7.2.0-362.8.1.el9_3 fixed

kernel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-64k

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-abi-stablelists

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-doc

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-rt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-kvm

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-kvm

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-tools

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-tools-libs

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-tools-libs-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-uki-virt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-zfcpdump-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-zfcpdump-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

libperf

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

perf

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

python3-perf

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-362.8.1.el9_3 fixed

rtla

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

References

https://git.kernel.org/stable/c/2ff0309b73d86e8591881ac035af06e01c112e89

https://git.kernel.org/stable/c/387659939c00156f8d6bab0fbc55b4eaf2b6bc5b

https://git.kernel.org/stable/c/6528971fdce0dfc0a28fec42c151a1eccdabadf5

https://git.kernel.org/stable/c/c4079a34c0adef9f35a16783fb13a9084406f96d