CVE-2022-50080 [Medium] | Integer Overflow in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: tee: add overflow check in register_shm_helper() With special lengths supplied by user space, register_shm_helper() has an integer overflow when calculating the number of pages covered by a supplied user space memory region. This causes internal_get_user_pages_fast() a helper function of pin_user_pages_fast() to do a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Modules linked in: CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pc : internal_get_user_pages_fast+0x474/0xa80 Call trace: internal_get_user_pages_fast+0x474/0xa80 pin_user_pages_fast+0x24/0x4c register_shm_helper+0x194/0x330 tee_shm_register_user_buf+0x78/0x120 tee_ioctl+0xd0/0x11a0 __arm64_sys_ioctl+0xa8/0xec invoke_syscall+0x48/0x114 Fix this by adding an an explicit call to access_ok() in tee_shm_register_user_buf() to catch an invalid user space address early.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-14	0.02%	0.06%	+0.04%
2	2025-06-18	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-14

0.02%

0.06%

+0.04%

2025-06-18

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2022-50080

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-50080 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-50080
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2022-50080
`suse`	medium	CVE-2022-50080 severity moderate: SUSE including 295 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 495 product×package rows across 50 product lines (Image SLES12-SP5-Azure-BYOS, Image SLES12-SP5-Azure-HPC-BYOS, … (50 product lines)): Known Affected 231, Known Not Affected 165, Fixed 99.	https://www.suse.com/security/cve/CVE-2022-50080/
`ubuntu`	medium	CVE-2022-50080 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, ignored 147, released 135, not-affected 123, needs-triage 1.	https://ubuntu.com/security/CVE-2022-50080

Affected software / configurations for CVE-2022-50080

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 4.16, < 4.19.256	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.211	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.137	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.62	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 5.18.19	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.19, < 5.19.3	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.0	cpe:2.3:o:linux:linux_kernel:6.0:rc1::::::

References for CVE-2022-50080

URL	Tags
https://git.kernel.org/stable/c/2f8e79a1a6128214cb9b205a9869341af5dfb16b	Patch
https://git.kernel.org/stable/c/573ae4f13f630d6660008f1974c0a8a29c30e18a	Patch
https://git.kernel.org/stable/c/578c349570d2a912401963783b36e0ec7a25c053	Patch
https://git.kernel.org/stable/c/58c008d4d398f792ca67f35650610864725518fd	Patch
https://git.kernel.org/stable/c/965333345fe952cc7eebc8e3a565ffc709441af2	Patch
https://git.kernel.org/stable/c/b37e0f17653c00b586cdbcdf0dbca475358ecffd	Patch
https://git.kernel.org/stable/c/c12f0e6126ad223806a365084e86370511654bf1	Patch

URL

CVE-2022-50080 | tee: add overflow check in register_shm_helper()

Exploit prediction scoring system (EPSS) score for CVE-2022-50080

Common vulnerability scoring system (CVSS) metrics for CVE-2022-50080

Weakness enumeration for CVE-2022-50080

OS Trackers for CVE-2022-50080

Affected software / configurations for CVE-2022-50080

References for CVE-2022-50080