CVE-2022-50314: 
Linux Kernel vulnerability analysis and mitigation

A race condition vulnerability was discovered in the Linux kernel's Network Block Device (NBD) implementation, specifically in the nbdstartdeviceioctl() function. The vulnerability was disclosed on September 15, 2025, affecting various versions of the Linux kernel. The issue occurs when a signal interrupts nbdstartdeviceioctl() while waiting for the condition atomicread(&config->recvthreads) == 0 (NVD, Red Hat).

The vulnerability manifests as a race condition in the NBD device initialization process. When a signal interrupts nbdstartdevice_ioctl() during its wait state, the task can become hung because it waits for the completion of inflight I/Os. The issue has been assigned a CVSS v3.1 base score of 4.4 with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H and is categorized under CWE-667 (Improper Locking) (Red Hat).

The vulnerability can result in a local denial of service condition where the NBD device becomes unresponsive. The system may end up with stuck I/O operations and an unresponsive NBD device. Since the issue can only be triggered by a privileged user with direct access to /dev/nbdX, it is classified as a local DoS vulnerability rather than a privilege escalation or memory corruption risk (Red Hat).

The vulnerability has been fixed by modifying the behavior to clear the queue, not just shutdown, when a signal interrupts nbdstartdevice_ioctl(). Various Linux distributions have released patches to address this issue. Red Hat has marked this for deferred fixes in RHEL 8 and 9, while some versions are not affected or out of support scope (Red Hat).