CVE-2022-50751 Affecting rv package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-RV-14638083
- published25 Dec 2025
- disclosed24 Dec 2025
Introduced: 24 Dec 2025
NewCVE-2022-50751 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 rv.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rv package and not the rv package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
configfs: fix possible memory leak in configfs_create_dir()
kmemleak reported memory leaks in configfs_create_dir():
unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ...
unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ...
This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as:
configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... dentry_unlink_inode() configfs_d_iput() # s_count = 0, release
However, if we failed in configfs_create():
configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode);
There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked.
To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct.
References
- https://access.redhat.com/security/cve/CVE-2022-50751
- https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776
- https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd
- https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f
- https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48
- https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb
- https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227