{"id":"CVE-2022-50253","summary":"bpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb-\u003elen == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn't really reproduce outside of syzkaller\nenvironment, so I'm taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb-\u003elen == 0.\nDoesn't seem like we can do anything better than having\nan explicit check after __skb_pull?","modified":"2026-04-02T08:28:21.802858Z","published":"2025-09-15T14:02:34.849Z","related":["SUSE-SU-2025:03614-1","SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","openSUSE-SU-2025:20172-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50253.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650"},{"type":"WEB","url":"https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50253.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50253"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d"},{"fixed":"ffbccc5fb0a67424e12f7f8da210c04c8063f797"},{"fixed":"e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"},{"fixed":"772431f30ca040cfbf31b791d468bac6a9ca74d3"},{"fixed":"6d935a02658be82585ecb39aab339faa84496650"},{"fixed":"5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"},{"fixed":"1b65704b8c08ae92db29f720d3b298031131da53"},{"fixed":"f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"},{"fixed":"07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50253.json"}}],"schema_version":"1.7.5"}