CVE-2022-50859 | cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes.

Published: 2025-12-30 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2022-50859 is rated Low Risk (10.8/100): low exploitation likelihood (EPSS 0.21%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-50859

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.21%	+0.18%
2	2025-12-31	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-50859

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2022-50859

OS Trackers for CVE-2022-50859

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-50859 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-50859
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2022-50859
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2022-50859/
`ubuntu`	medium	CVE-2022-50859 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 173, released 127, not-affected 94, needs-triage 1.	https://ubuntu.com/security/CVE-2022-50859

Affected software / configurations for CVE-2022-50859

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.0, < 5.4.220	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0, < 5.10.150	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0, < 5.15.75	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0, < 5.19.17	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0, < 6.0.3	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0, < 6.1	cpe:2.3:o:linux:linux_kernel::::::::

References for CVE-2022-50859

URL	Tags
https://git.kernel.org/stable/c/60480291c1fcafad8425d93f771b5bcc2bd398b4
https://git.kernel.org/stable/c/9312e04b6c6bc46354ecd0cc82052a2b3df0b529
https://git.kernel.org/stable/c/943eb0ede74ecd609fdfd3f0b83e0d237613e526
https://git.kernel.org/stable/c/d0050ec3ebbcb3451df9a65b8460be9b9e02e80c
https://git.kernel.org/stable/c/e98ecc6e94f4e6d21c06660b0f336df02836694f
https://git.kernel.org/stable/c/fada9b8c95c77bb46b89e18117405bc90fce9f74

cvelogic Threat Intelligence