{"id":"CVE-2022-50425","summary":"x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly\n\nWhen an extended state component is not present in fpstate, but in init\nstate, the function copies from init_fpstate via copy_feature().\n\nBut, dynamic states are not present in init_fpstate because of all-zeros\ninit states. Then retrieving them from init_fpstate will explode like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n RIP: 0010:memcpy_erms+0x6/0x10\n  ? __copy_xstate_to_uabi_buf+0x381/0x870\n  fpu_copy_guest_fpstate_to_uabi+0x28/0x80\n  kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]\n  ? __this_cpu_preempt_check+0x13/0x20\n  ? vmx_vcpu_put+0x2e/0x260 [kvm_intel]\n  kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n  ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n  ? __fget_light+0xd4/0x130\n  __x64_sys_ioctl+0xe3/0x910\n  ? debug_smp_processor_id+0x17/0x20\n  ? fpregs_assert_state_consistent+0x27/0x50\n  do_syscall_64+0x3f/0x90\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdjust the 'mask' to zero out the userspace buffer for the features that\nare not available both from fpstate and from init_fpstate.\n\nThe dynamic features depend on the compacted XSAVE format. Ensure it is\nenabled before reading XCOMP_BV in init_fpstate.","modified":"2026-04-02T08:28:29.393074Z","published":"2025-10-01T11:42:04.776Z","related":["SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50425.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/471f0aa7fa64e23766a1473b32d9ec3f0718895a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ff29642fd28965a8f8d6d326ac91bf6075f3113"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50425.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50425"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2308ee57d93d896618dd65c996429c9d3e469fe0"},{"fixed":"6ff29642fd28965a8f8d6d326ac91bf6075f3113"},{"fixed":"471f0aa7fa64e23766a1473b32d9ec3f0718895a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50425.json"}}],"schema_version":"1.7.5"}