CVE-2022-50185 [High] | Out-of-bounds Write in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() The last case label can write two buffers 'mc_reg_address[j]' and 'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE since there are no checks for this value in both case labels after the last 'j++'. Instead of changing '>' to '>=' there, add the bounds check at the start of the second 'case' (the first one already has it). Also, remove redundant last checks for 'j' index bigger than array size. The expression is always false. Moreover, before or after the patch 'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it seems it can be a valid value. Detected using the static analysis tool - Svace.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-14	0.01%	0.06%	+0.05%
2	2025-11-20	0.06%	0.01%	-0.04%
3	2025-11-18	—	0.06%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-14

0.01%

0.06%

+0.05%

2025-11-20

0.06%

0.01%

-0.04%

2025-11-18

—

0.06%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

OS Trackers for CVE-2022-50185

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-50185 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-50185
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2022-50185
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2022-50185/
`ubuntu`	medium	CVE-2022-50185 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 151, ignored 150, not-affected 100, needed 4, needs-triage 1.	https://ubuntu.com/security/CVE-2022-50185

Affected software / configurations for CVE-2022-50185

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 3.11, < 4.14.291	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.256	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.211	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.137	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.61	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 5.18.18	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.19, < 5.19.2	cpe:2.3:o:linux:linux_kernel::::::::

References for CVE-2022-50185

URL	Tags
https://git.kernel.org/stable/c/136f614931a2bb73616b292cf542da3a18daefd5	Patch
https://git.kernel.org/stable/c/1f341053852be76f82610ce47a505d930512f05c	Patch
https://git.kernel.org/stable/c/782e413e38dffd37cc85b08b1ccb982adb4a93ce	Patch
https://git.kernel.org/stable/c/8508d6d23a247c29792ce2fc0df3f3404d6a6a80	Patch
https://git.kernel.org/stable/c/9faff03617afeced1c4e5daa89e79b3906374342	Patch
https://git.kernel.org/stable/c/db1a9add3f90ff1c641974d5bb910c16b87af4ef	Patch
https://git.kernel.org/stable/c/deb603c5928e546609c0d5798e231d0205748943	Patch
https://git.kernel.org/stable/c/ea73869df6ef386fc0feeb28ff66742ca835b18f	Patch

URL

CVE-2022-50185 | drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()

Exploit prediction scoring system (EPSS) score for CVE-2022-50185

Common vulnerability scoring system (CVSS) metrics for CVE-2022-50185

Weakness enumeration for CVE-2022-50185

OS Trackers for CVE-2022-50185

Affected software / configurations for CVE-2022-50185

References for CVE-2022-50185