Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50021

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
18/06/2025
Last modified:
13/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: block range must be validated before use in ext4_mb_clear_bb()<br /> <br /> Block range to free is validated in ext4_free_blocks() using<br /> ext4_inode_block_valid() and then it&amp;#39;s passed to ext4_mb_clear_bb().<br /> However in some situations on bigalloc file system the range might be<br /> adjusted after the validation in ext4_free_blocks() which can lead to<br /> troubles on corrupted file systems such as one found by syzkaller that<br /> resulted in the following BUG<br /> <br /> kernel BUG at fs/ext4/ext4.h:3319!<br /> PREEMPT SMP NOPTI<br /> CPU: 28 PID: 4243 Comm: repro Kdump: loaded Not tainted 5.19.0-rc6+ #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014<br /> RIP: 0010:ext4_free_blocks+0x95e/0xa90<br /> Call Trace:<br /> <br /> ? lock_timer_base+0x61/0x80<br /> ? __es_remove_extent+0x5a/0x760<br /> ? __mod_timer+0x256/0x380<br /> ? ext4_ind_truncate_ensure_credits+0x90/0x220<br /> ext4_clear_blocks+0x107/0x1b0<br /> ext4_free_data+0x15b/0x170<br /> ext4_ind_truncate+0x214/0x2c0<br /> ? _raw_spin_unlock+0x15/0x30<br /> ? ext4_discard_preallocations+0x15a/0x410<br /> ? ext4_journal_check_start+0xe/0x90<br /> ? __ext4_journal_start_sb+0x2f/0x110<br /> ext4_truncate+0x1b5/0x460<br /> ? __ext4_journal_start_sb+0x2f/0x110<br /> ext4_evict_inode+0x2b4/0x6f0<br /> evict+0xd0/0x1d0<br /> ext4_enable_quotas+0x11f/0x1f0<br /> ext4_orphan_cleanup+0x3de/0x430<br /> ? proc_create_seq_private+0x43/0x50<br /> ext4_fill_super+0x295f/0x3ae0<br /> ? snprintf+0x39/0x40<br /> ? sget_fc+0x19c/0x330<br /> ? ext4_reconfigure+0x850/0x850<br /> get_tree_bdev+0x16d/0x260<br /> vfs_get_tree+0x25/0xb0<br /> path_mount+0x431/0xa70<br /> __x64_sys_mount+0xe2/0x120<br /> do_syscall_64+0x5b/0x80<br /> ? do_user_addr_fault+0x1e2/0x670<br /> ? exc_page_fault+0x70/0x170<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7fdf4e512ace<br /> <br /> Fix it by making sure that the block range is properly validated before<br /> used every time it changes in ext4_free_blocks() or ext4_mb_clear_bb().

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.103 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.19.4 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools