Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2022-49947

NULL Pointer Dereference

Published: Jun 18, 2025 | Modified: Nov 14, 2025
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-49947
CWEhttps://cwe.mitre.org/data/definitions/476.html

In the Linux kernel, the following vulnerability has been resolved:

binder: fix alloc->vma_vm_mm null-ptr dereference

Syzbot reported a couple issues introduced by commit 44e602b4e52f (binder_alloc: add missing mmap_lock calls when using the VMA), in which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not been initialized yet.

This can happen if a binder_proc receives a transaction without having previously called mmap() to setup the binder_proc->alloc space in [1]. Also, a similar issue occurs via binder_alloc_print_pages() when we try to dump the debugfs binder stats file in [2].

Sample of syzbots crash report:

KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0 syz-executor229[3755] cmdline: ./syz-executor2294415195 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923 […] Call Trace: lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 down_read+0x98/0x450 kernel/locking/rwsem.c:1499 mmap_read_lock include/linux/mmap_lock.h:117 [inline] binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline] binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593 binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199 binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986 binder_ioctl_write_read drivers/android/binder.c:5036 [inline] binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd […]

Fix these issues by setting up alloc->vma_vm_mm pointer during open() and caching directly from current->mm. This guarantees we have a valid reference to take the mmap_lock during scenarios described above.

[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459 [2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

NameVendorStart VersionEnd Version
Linux_kernelLinux5.15.64 (including)5.15.66 (excluding)
Linux_kernelLinux5.19.6 (including)5.19.8 (excluding)
Linux_kernelLinux6.0-rc3 (including)6.0-rc3 (including)
LinuxUbuntujammy*
LinuxUbuntuupstream*
Linux-allwinner-5.19Ubuntujammy*
Linux-allwinner-5.19Ubuntuupstream*
Linux-awsUbuntujammy*
Linux-awsUbuntuupstream*
Linux-aws-5.0Ubuntubionic*
Linux-aws-5.0Ubuntuesm-infra/bionic*
Linux-aws-5.0Ubuntuupstream*
Linux-aws-5.11Ubuntuesm-infra/focal*
Linux-aws-5.11Ubuntufocal*
Linux-aws-5.11Ubuntuupstream*
Linux-aws-5.13Ubuntuesm-infra/focal*
Linux-aws-5.13Ubuntufocal*
Linux-aws-5.13Ubuntuupstream*
Linux-aws-5.15Ubuntuesm-infra/focal*
Linux-aws-5.15Ubuntufocal*
Linux-aws-5.15Ubuntuupstream*
Linux-aws-5.19Ubuntujammy*
Linux-aws-5.19Ubuntuupstream*
Linux-aws-5.3Ubuntubionic*
Linux-aws-5.3Ubuntuesm-infra/bionic*
Linux-aws-5.3Ubuntuupstream*
Linux-aws-5.4Ubuntuupstream*
Linux-aws-5.8Ubuntuesm-infra/focal*
Linux-aws-5.8Ubuntufocal*
Linux-aws-5.8Ubuntuupstream*
Linux-aws-6.14Ubuntuupstream*
Linux-aws-6.2Ubuntujammy*
Linux-aws-6.2Ubuntuupstream*
Linux-aws-6.5Ubuntujammy*
Linux-aws-6.5Ubuntuupstream*
Linux-aws-6.8Ubuntuupstream*
Linux-aws-fipsUbuntutrusty*
Linux-aws-fipsUbuntuupstream*
Linux-aws-fipsUbuntuxenial*
Linux-aws-hweUbuntuupstream*
Linux-azureUbuntubionic*
Linux-azureUbuntuesm-infra/bionic*
Linux-azureUbuntujammy*
Linux-azureUbuntuupstream*
Linux-azure-4.15Ubuntuupstream*
Linux-azure-5.11Ubuntuesm-infra/focal*
Linux-azure-5.11Ubuntufocal*
Linux-azure-5.11Ubuntuupstream*
Linux-azure-5.13Ubuntuesm-infra/focal*
Linux-azure-5.13Ubuntufocal*
Linux-azure-5.13Ubuntuupstream*
Linux-azure-5.15Ubuntuesm-infra/focal*
Linux-azure-5.15Ubuntufocal*
Linux-azure-5.15Ubuntuupstream*
Linux-azure-5.19Ubuntujammy*
Linux-azure-5.19Ubuntuupstream*
Linux-azure-5.3Ubuntubionic*
Linux-azure-5.3Ubuntuesm-infra/bionic*
Linux-azure-5.3Ubuntuupstream*
Linux-azure-5.4Ubuntuupstream*
Linux-azure-5.8Ubuntuesm-infra/focal*
Linux-azure-5.8Ubuntufocal*
Linux-azure-5.8Ubuntuupstream*
Linux-azure-6.11Ubuntuupstream*
Linux-azure-6.14Ubuntuupstream*
Linux-azure-6.2Ubuntujammy*
Linux-azure-6.2Ubuntuupstream*
Linux-azure-6.5Ubuntujammy*
Linux-azure-6.5Ubuntuupstream*
Linux-azure-6.8Ubuntuupstream*
Linux-azure-edgeUbuntubionic*
Linux-azure-edgeUbuntuesm-infra/bionic*
Linux-azure-edgeUbuntuupstream*
Linux-azure-fdeUbuntuesm-infra/focal*
Linux-azure-fdeUbuntufocal*
Linux-azure-fdeUbuntuupstream*
Linux-azure-fde-5.15Ubuntuupstream*
Linux-azure-fde-5.19Ubuntujammy*
Linux-azure-fde-5.19Ubuntuupstream*
Linux-azure-fde-6.14Ubuntuupstream*
Linux-azure-fde-6.2Ubuntujammy*
Linux-azure-fde-6.2Ubuntuupstream*
Linux-azure-fde-6.8Ubuntuupstream*
Linux-azure-fipsUbuntutrusty*
Linux-azure-fipsUbuntuupstream*
Linux-azure-fipsUbuntuxenial*
Linux-azure-nvidiaUbuntuupstream*
Linux-azure-nvidia-6.14Ubuntuupstream*
Linux-bluefieldUbuntuupstream*
Linux-fipsUbuntuupstream*
Linux-gcpUbuntubionic*
Linux-gcpUbuntuesm-infra/bionic*
Linux-gcpUbuntujammy*
Linux-gcpUbuntuupstream*
Linux-gcp-4.15Ubuntuupstream*
Linux-gcp-5.11Ubuntuesm-infra/focal*
Linux-gcp-5.11Ubuntufocal*
Linux-gcp-5.11Ubuntuupstream*
Linux-gcp-5.13Ubuntuesm-infra/focal*
Linux-gcp-5.13Ubuntufocal*
Linux-gcp-5.13Ubuntuupstream*
Linux-gcp-5.15Ubuntuesm-infra/focal*
Linux-gcp-5.15Ubuntufocal*
Linux-gcp-5.15Ubuntuupstream*
Linux-gcp-5.19Ubuntujammy*
Linux-gcp-5.19Ubuntuupstream*
Linux-gcp-5.3Ubuntubionic*
Linux-gcp-5.3Ubuntuesm-infra/bionic*
Linux-gcp-5.3Ubuntuupstream*
Linux-gcp-5.4Ubuntuupstream*
Linux-gcp-5.8Ubuntuesm-infra/focal*
Linux-gcp-5.8Ubuntufocal*
Linux-gcp-5.8Ubuntuupstream*
Linux-gcp-6.11Ubuntuupstream*
Linux-gcp-6.14Ubuntuupstream*
Linux-gcp-6.2Ubuntujammy*
Linux-gcp-6.2Ubuntuupstream*
Linux-gcp-6.5Ubuntujammy*
Linux-gcp-6.5Ubuntuupstream*
Linux-gcp-6.8Ubuntuupstream*
Linux-gcp-fipsUbuntutrusty*
Linux-gcp-fipsUbuntuupstream*
Linux-gcp-fipsUbuntuxenial*
Linux-gkeUbuntuesm-infra/focal*
Linux-gkeUbuntufocal*
Linux-gkeUbuntujammy*
Linux-gkeUbuntuupstream*
Linux-gkeUbuntuxenial*
Linux-gke-4.15Ubuntubionic*
Linux-gke-4.15Ubuntuesm-infra/bionic*
Linux-gke-4.15Ubuntuupstream*
Linux-gke-5.15Ubuntuesm-infra/focal*
Linux-gke-5.15Ubuntufocal*
Linux-gke-5.15Ubuntuupstream*
Linux-gke-5.4Ubuntubionic*
Linux-gke-5.4Ubuntuesm-infra/bionic*
Linux-gke-5.4Ubuntuupstream*
Linux-gkeopUbuntuesm-infra/focal*
Linux-gkeopUbuntufocal*
Linux-gkeopUbuntujammy*
Linux-gkeopUbuntuupstream*
Linux-gkeop-5.15Ubuntuesm-infra/focal*
Linux-gkeop-5.15Ubuntufocal*
Linux-gkeop-5.15Ubuntuupstream*
Linux-gkeop-5.4Ubuntubionic*
Linux-gkeop-5.4Ubuntuesm-infra/bionic*
Linux-gkeop-5.4Ubuntuupstream*
Linux-hweUbuntubionic*
Linux-hweUbuntuesm-infra/bionic*
Linux-hweUbuntuupstream*
Linux-hwe-5.11Ubuntuesm-infra/focal*
Linux-hwe-5.11Ubuntufocal*
Linux-hwe-5.11Ubuntuupstream*
Linux-hwe-5.13Ubuntuesm-infra/focal*
Linux-hwe-5.13Ubuntufocal*
Linux-hwe-5.13Ubuntuupstream*
Linux-hwe-5.15Ubuntuesm-infra/focal*
Linux-hwe-5.15Ubuntufocal*
Linux-hwe-5.15Ubuntuupstream*
Linux-hwe-5.19Ubuntujammy*
Linux-hwe-5.19Ubuntuupstream*
Linux-hwe-5.4Ubuntuupstream*
Linux-hwe-5.8Ubuntuesm-infra/focal*
Linux-hwe-5.8Ubuntufocal*
Linux-hwe-5.8Ubuntuupstream*
Linux-hwe-6.11Ubuntuupstream*
Linux-hwe-6.14Ubuntuupstream*
Linux-hwe-6.2Ubuntujammy*
Linux-hwe-6.2Ubuntuupstream*
Linux-hwe-6.5Ubuntujammy*
Linux-hwe-6.5Ubuntuupstream*
Linux-hwe-6.8Ubuntuupstream*
Linux-hwe-edgeUbuntubionic*
Linux-hwe-edgeUbuntuesm-infra/bionic*
Linux-hwe-edgeUbuntuesm-infra/xenial*
Linux-hwe-edgeUbuntuupstream*
Linux-hwe-edgeUbuntuxenial*
Linux-ibmUbuntujammy*
Linux-ibmUbuntuupstream*
Linux-ibm-5.15Ubuntuupstream*
Linux-ibm-5.4Ubuntuupstream*
Linux-ibm-6.8Ubuntuupstream*
Linux-intelUbuntuupstream*
Linux-intel-5.13Ubuntuesm-infra/focal*
Linux-intel-5.13Ubuntufocal*
Linux-intel-5.13Ubuntuupstream*
Linux-intel-iot-realtimeUbuntujammy*
Linux-intel-iot-realtimeUbuntuupstream*
Linux-intel-iotgUbuntujammy*
Linux-intel-iotgUbuntuupstream*
Linux-intel-iotg-5.15Ubuntuesm-infra/focal*
Linux-intel-iotg-5.15Ubuntufocal*
Linux-intel-iotg-5.15Ubuntuupstream*
Linux-iotUbuntuupstream*
Linux-kvmUbuntujammy*
Linux-kvmUbuntuupstream*
Linux-lowlatencyUbuntujammy*
Linux-lowlatencyUbuntuupstream*
Linux-lowlatency-hwe-5.15Ubuntuesm-infra/focal*
Linux-lowlatency-hwe-5.15Ubuntufocal*
Linux-lowlatency-hwe-5.15Ubuntuupstream*
Linux-lowlatency-hwe-5.19Ubuntujammy*
Linux-lowlatency-hwe-5.19Ubuntuupstream*
Linux-lowlatency-hwe-6.11Ubuntuupstream*
Linux-lowlatency-hwe-6.2Ubuntujammy*
Linux-lowlatency-hwe-6.2Ubuntuupstream*
Linux-lowlatency-hwe-6.5Ubuntujammy*
Linux-lowlatency-hwe-6.5Ubuntuupstream*
Linux-lowlatency-hwe-6.8Ubuntuupstream*
Linux-lts-xenialUbuntuupstream*
Linux-nvidiaUbuntuupstream*
Linux-nvidia-6.11Ubuntuupstream*
Linux-nvidia-6.2Ubuntujammy*
Linux-nvidia-6.2Ubuntuupstream*
Linux-nvidia-6.5Ubuntujammy*
Linux-nvidia-6.5Ubuntuupstream*
Linux-nvidia-6.8Ubuntuupstream*
Linux-nvidia-lowlatencyUbuntuupstream*
Linux-nvidia-tegraUbuntuupstream*
Linux-nvidia-tegra-5.15Ubuntuupstream*
Linux-nvidia-tegra-igxUbuntuupstream*
Linux-oemUbuntubionic*
Linux-oemUbuntuesm-infra/bionic*
Linux-oemUbuntuupstream*
Linux-oemUbuntuxenial*
Linux-oem-5.10Ubuntuesm-infra/focal*
Linux-oem-5.10Ubuntufocal*
Linux-oem-5.10Ubuntuupstream*
Linux-oem-5.13Ubuntuesm-infra/focal*
Linux-oem-5.13Ubuntufocal*
Linux-oem-5.13Ubuntuupstream*
Linux-oem-5.14Ubuntuesm-infra/focal*
Linux-oem-5.14Ubuntufocal*
Linux-oem-5.14Ubuntuupstream*
Linux-oem-5.17Ubuntujammy*
Linux-oem-5.17Ubuntuupstream*
Linux-oem-5.6Ubuntuesm-infra/focal*
Linux-oem-5.6Ubuntufocal*
Linux-oem-5.6Ubuntuupstream*
Linux-oem-6.0Ubuntujammy*
Linux-oem-6.0Ubuntuupstream*
Linux-oem-6.1Ubuntujammy*
Linux-oem-6.1Ubuntuupstream*
Linux-oem-6.11Ubuntuupstream*
Linux-oem-6.14Ubuntuupstream*
Linux-oem-6.17Ubuntuupstream*
Linux-oem-6.5Ubuntujammy*
Linux-oem-6.5Ubuntuupstream*
Linux-oem-6.8Ubuntuupstream*
Linux-oracleUbuntujammy*
Linux-oracleUbuntuupstream*
Linux-oracle-5.0Ubuntubionic*
Linux-oracle-5.0Ubuntuesm-infra/bionic*
Linux-oracle-5.0Ubuntuupstream*
Linux-oracle-5.11Ubuntuesm-infra/focal*
Linux-oracle-5.11Ubuntufocal*
Linux-oracle-5.11Ubuntuupstream*
Linux-oracle-5.13Ubuntuesm-infra/focal*
Linux-oracle-5.13Ubuntufocal*
Linux-oracle-5.13Ubuntuupstream*
Linux-oracle-5.15Ubuntuesm-infra/focal*
Linux-oracle-5.15Ubuntufocal*
Linux-oracle-5.15Ubuntuupstream*
Linux-oracle-5.3Ubuntubionic*
Linux-oracle-5.3Ubuntuesm-infra/bionic*
Linux-oracle-5.3Ubuntuupstream*
Linux-oracle-5.4Ubuntuupstream*
Linux-oracle-5.8Ubuntuesm-infra/focal*
Linux-oracle-5.8Ubuntufocal*
Linux-oracle-5.8Ubuntuupstream*
Linux-oracle-6.14Ubuntuupstream*
Linux-oracle-6.5Ubuntujammy*
Linux-oracle-6.5Ubuntuupstream*
Linux-oracle-6.8Ubuntuupstream*
Linux-raspiUbuntujammy*
Linux-raspiUbuntuupstream*
Linux-raspi-5.4Ubuntuupstream*
Linux-raspi-realtimeUbuntunoble*
Linux-raspi-realtimeUbuntuupstream*
Linux-raspi2Ubuntubionic*
Linux-raspi2Ubuntuesm-infra/focal*
Linux-raspi2Ubuntufocal*
Linux-raspi2Ubuntuupstream*
Linux-raspi2Ubuntuxenial*
Linux-realtimeUbuntujammy*
Linux-realtimeUbuntunoble*
Linux-realtimeUbunturealtime/jammy*
Linux-realtimeUbuntuupstream*
Linux-realtime-6.14Ubuntuupstream*
Linux-realtime-6.8Ubuntuupstream*
Linux-riscvUbuntuesm-infra/focal*
Linux-riscvUbuntufocal*
Linux-riscvUbuntujammy*
Linux-riscvUbuntunoble*
Linux-riscvUbuntuupstream*
Linux-riscv-5.11Ubuntuesm-infra/focal*
Linux-riscv-5.11Ubuntufocal*
Linux-riscv-5.11Ubuntuupstream*
Linux-riscv-5.15Ubuntuesm-infra/focal*
Linux-riscv-5.15Ubuntufocal*
Linux-riscv-5.15Ubuntuupstream*
Linux-riscv-5.19Ubuntujammy*
Linux-riscv-5.19Ubuntuupstream*
Linux-riscv-5.8Ubuntuesm-infra/focal*
Linux-riscv-5.8Ubuntufocal*
Linux-riscv-5.8Ubuntuupstream*
Linux-riscv-6.14Ubuntuupstream*
Linux-riscv-6.5Ubuntujammy*
Linux-riscv-6.5Ubuntuupstream*
Linux-riscv-6.8Ubuntuupstream*
Linux-starfive-5.19Ubuntujammy*
Linux-starfive-5.19Ubuntuupstream*
Linux-starfive-6.2Ubuntujammy*
Linux-starfive-6.2Ubuntuupstream*
Linux-starfive-6.5Ubuntujammy*
Linux-starfive-6.5Ubuntuupstream*
Linux-xilinxUbuntuupstream*
Linux-xilinx-zynqmpUbuntuupstream*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use