FKIE_CVE-2022-50673
Vulnerability from fkie_nvd - Published: 2025-12-09 16:17 - Updated: 2026-06-17 05:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_orphan_cleanup
I caught a issue as follows:
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
Read of size 8 at addr ffff88814b13f378 by task mount/710
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
Call Trace:
<TASK>
dump_stack_lvl+0x73/0x9f
print_report+0x25d/0x759
kasan_report+0xc0/0x120
__asan_load8+0x99/0x140
__list_add_valid+0x28/0x1a0
ext4_orphan_cleanup+0x564/0x9d0 [ext4]
__ext4_fill_super+0x48e2/0x5300 [ext4]
ext4_fill_super+0x19f/0x3a0 [ext4]
get_tree_bdev+0x27b/0x450
ext4_get_tree+0x19/0x30 [ext4]
vfs_get_tree+0x49/0x150
path_mount+0xaae/0x1350
do_mount+0xe2/0x110
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
--- loop1: assume last_orphan is 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
ext4_truncate --> return 0
ext4_inode_attach_jinode --> return -ENOMEM
iput(inode) --> free inode<12>
--- loop2: last_orphan is still 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
// use inode<12> and trigger UAF
To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f801a1593cb957f73659732836b2dafbdfc7709",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "026a4490b5381229a30f23d073b58e8e35ee6858",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7223d5e75f26352354ea2c0ccf8b579821b52adf",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "cf0e0817b0f925b70d101d7014ea81b7094e1159",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "c2bdbd4c69308835d1b6f6ba74feeccbfe113478",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7908b8a541b1578cc61b4da7f19b604a931441da",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "a71248b1accb2b42e4980afef4fa4a27fa0e36f5",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x73/0x9f\n print_report+0x25d/0x759\n kasan_report+0xc0/0x120\n __asan_load8+0x99/0x140\n __list_add_valid+0x28/0x1a0\n ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n __ext4_fill_super+0x48e2/0x5300 [ext4]\n ext4_fill_super+0x19f/0x3a0 [ext4]\n get_tree_bdev+0x27b/0x450\n ext4_get_tree+0x19/0x30 [ext4]\n vfs_get_tree+0x49/0x150\n path_mount+0xaae/0x1350\n do_mount+0xe2/0x110\n __x64_sys_mount+0xf0/0x190\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n --- loop1: assume last_orphan is 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan)\n ext4_truncate --\u003e return 0\n ext4_inode_attach_jinode --\u003e return -ENOMEM\n iput(inode) --\u003e free inode\u003c12\u003e\n --- loop2: last_orphan is still 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan);\n // use inode\u003c12\u003e and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately."
}
],
"id": "CVE-2022-50673",
"lastModified": "2026-06-17T05:23:58.440",
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2022-50673",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T15:48:47.172262Z",
"version": "2.0.3"
}
}
]
},
"published": "2025-12-09T16:17:19.473",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Deferred"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…