What is CVE-2022-50636?

CVE-2022-50636 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 3.13 onward and patched in 4.14.303, 4.19.270, 5.4.229 and others. CVE-2022-50636 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-50636?

CVE-2022-50636 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2022-50636?

Yes, CVE-2022-50636 has been patched. Fixed versions include 4.14.303, 4.19.270, 5.4.229 and others. If you are running Linux kernel 3.13 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-50636 actively exploited?

CVE-2022-50636 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2022-50636

In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_device_is_present() for VFs by checking PF pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xffff for VFs, which looks like they aren't present. Check the PF instead. Wei Gong reported that if virtio I/O is in progress when the driver is unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O operation hangs, which may result in output like this: task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 Call Trace: schedule+0x4f/0xc0 blk_mq_freeze_queue_wait+0x69/0xa0 blk_mq_freeze_queue+0x1b/0x20 blk_cleanup_queue+0x3d/0xd0 virtblk_remove+0x3c/0xb0 [virtio_blk] virtio_dev_remove+0x4b/0x80 ... device_unregister+0x1b/0x60 unregister_virtio_device+0x18/0x30 virtio_pci_remove+0x41/0x80 pci_device_remove+0x3e/0xb0 This happened because pci_device_is_present(VF) returned "false" in virtio_pci_remove(), so it called virtio_break_device(). The broken vq meant that vring_interrupt() skipped the vq.callback() that would have completed the virtio I/O operation via virtblk_done(). [bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]

Package Linux Kernel

Published 2025-12-09

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 3.13 and later are affected. Fixed in 4.14.303, 4.19.270, 5.4.229, 5.10.163, 5.15.87, 6.0.18, 6.1.4, 6.2 and their respective stable series.

Affected from

≥ 3.13

Fixed in

✓ 4.14.303 4.14.x ✓ 4.19.270 4.19.x ✓ 5.4.229 5.4.x ✓ 5.10.163 5.10.x ✓ 5.15.87 5.15.x ✓ 6.0.18 6.0.x ✓ 6.1.4 6.1.x ✓ 6.2

References

The following references provide additional information about CVE-2022-50636 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94
Patch
Kernel patch commit
https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629
Patch
Kernel patch commit
https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1
Patch

8 patch commits total View all on NVD

Frequently asked questions

What is CVE-2022-50636?

CVE-2022-50636 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 3.13 onward and has been patched in 4.14.303, 4.19.270, 5.4.229 and others. CVE-2022-50636 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2022-50636?

Yes — CVE-2022-50636 has been patched. Fixed versions include 4.14.303, 4.19.270, 5.4.229 and others. If you are running Linux kernel 3.13 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-50636 actively exploited?

No — CVE-2022-50636 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.