What is CVE-2022-50833?

CVE-2022-50833 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.19.2 onward and patched in 5.19.15, 6.0.1 and 6.1. CVE-2022-50833 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-50833?

CVE-2022-50833 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2022-50833?

Yes, CVE-2022-50833 has been patched. Fixed versions include 5.19.15, 6.0.1 and 6.1. If you are running Linux kernel 5.19.2 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2022-50833 actively exploited?

CVE-2022-50833 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2022-50833

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed.

Package Linux Kernel

Published 2025-12-30

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.19.2, 5.18.18, 6.0 and later are affected. Fixed in 5.19.15, 6.0.1, 6.1 and their respective stable series.

Affected from

≥ 5.19.2 ≥ 5.18.18 ≥ 6.0

Fixed in

✓ 5.19.15 5.19.x ✓ 6.0.1 6.0.x ✓ 6.1

References

The following references provide additional information about CVE-2022-50833 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0
Patch
Kernel patch commit
https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7
Patch
Kernel patch commit
https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261
Patch

Frequently asked questions

What is CVE-2022-50833?

CVE-2022-50833 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.19.2 onward and has been patched in 5.19.15, 6.0.1 and 6.1. CVE-2022-50833 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2022-50833?

Yes — CVE-2022-50833 has been patched. Fixed versions include 5.19.15, 6.0.1 and 6.1. If you are running Linux kernel 5.19.2 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2022-50833 actively exploited?

No — CVE-2022-50833 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.