CVE-2022-50453: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50453 affects the Linux kernel and involves NULL-pointer dereferences in the GPIO character device interface. The vulnerability was disclosed on October 1, 2025. The issue occurs in the gpiolib cdev component where kernel crashes can be triggered by requesting lines, unbinding the GPIO device, and then calling system calls (ioctl(), read(), poll()) relevant to the GPIO character device's anonymous file descriptors (NVD, Ubuntu).

The vulnerability exists in the Linux kernel's GPIO subsystem where multiple NULL-pointer dereferences can occur. The issue manifests when a GPIO device is hot-unplugged after requesting lines but before calling certain system calls. While initially observed with the GPIO simulator, it affects any hot-unplug capable GPIO devices, including HID GPIO expanders like CP2112. The vulnerability impacts both v1 and v2 uAPI. A partial fix was implemented by checking if gdev->chip is not NULL, but a race condition remains where another thread can remove the device after the check (NVD).

The vulnerability can lead to kernel crashes when exploited, potentially causing system instability and denial of service. This affects systems using GPIO devices that can be hot-unplugged, making it particularly relevant for systems with external GPIO expanders (NVD).

Several Linux distributions have released fixes for this vulnerability. Ubuntu has patched multiple kernel versions including linux-hwe-5.15 (5.15.0-69.76~20.04.1), linux-aws-5.15 (5.15.0-1033.37~20.04.1), linux-azure-5.15 (5.15.0-1035.42~20.04.1), and linux-gcp-5.15 (5.15.0-1031.38~20.04.1) (Ubuntu).