CVE-2022-48923: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory. This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: <TASK> kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel: </TASK>
AI Analysis
Technical Summary
CVE-2022-48923 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of compressed LZO segments. The flaw arises when the compressed length of an LZO segment is corrupted to a value significantly larger than the allocated buffer size. This discrepancy leads to a buffer overflow condition during the memcpy operation in the copy_compressed_segment function. The overflow causes memory corruption, which can result in a kernel general protection fault (#GP), leading to system instability or crashes. The vulnerability is triggered primarily during read system calls and can also manifest during the use of the 'btrfs send' command, which is used for sending filesystem snapshots. The kernel logs indicate that the fault occurs in the lzo_decompress_bio function, with a detailed call trace showing the propagation of the fault through Btrfs compression and workqueue handling routines. This vulnerability is a memory safety issue that can cause denial of service (DoS) conditions due to kernel panics or stuck read operations. While no known exploits are reported in the wild, the nature of the vulnerability suggests that crafted filesystem data or maliciously manipulated Btrfs snapshots could trigger the fault. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating that the issue is present in certain recent kernel builds prior to the patch. No CVSS score has been assigned yet, and no public patch links are provided in the data, but the vulnerability has been officially published and enriched by CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected Btrfs implementations, which are common in enterprise environments, cloud infrastructure, and data centers. The impact includes potential denial of service through kernel crashes or system hangs, which can disrupt critical services and operations. Systems using Btrfs for storage, especially those leveraging compression and snapshot features, are at higher risk. The vulnerability could affect servers, virtual machines, and container hosts, leading to downtime and possible data availability issues. Although there is no indication of privilege escalation or remote code execution, the denial of service impact on critical infrastructure could have cascading effects, particularly in sectors such as finance, telecommunications, healthcare, and government services. Additionally, the inability to reliably use Btrfs send operations could affect backup and disaster recovery processes. Given the widespread use of Linux in European IT environments, the vulnerability could have broad operational implications if exploited or triggered unintentionally.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify and inventory all Linux systems using Btrfs with compression enabled, focusing on those running affected kernel versions. 2) Apply the official Linux kernel patches as soon as they become available, or upgrade to a kernel version that includes the fix for CVE-2022-48923. 3) Temporarily disable Btrfs compression or avoid using 'btrfs send' operations on vulnerable systems until patched. 4) Implement kernel crash monitoring and alerting to detect and respond quickly to any general protection faults related to Btrfs. 5) For environments using automated deployment or container orchestration, update base images and container runtimes to include patched kernels. 6) Conduct thorough testing of backup and snapshot workflows to ensure stability post-mitigation. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 8) Limit access to systems with Btrfs send capabilities to trusted administrators to reduce the risk of maliciously crafted snapshots triggering the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-48923: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory. This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: <TASK> kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel: </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-48923 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of compressed LZO segments. The flaw arises when the compressed length of an LZO segment is corrupted to a value significantly larger than the allocated buffer size. This discrepancy leads to a buffer overflow condition during the memcpy operation in the copy_compressed_segment function. The overflow causes memory corruption, which can result in a kernel general protection fault (#GP), leading to system instability or crashes. The vulnerability is triggered primarily during read system calls and can also manifest during the use of the 'btrfs send' command, which is used for sending filesystem snapshots. The kernel logs indicate that the fault occurs in the lzo_decompress_bio function, with a detailed call trace showing the propagation of the fault through Btrfs compression and workqueue handling routines. This vulnerability is a memory safety issue that can cause denial of service (DoS) conditions due to kernel panics or stuck read operations. While no known exploits are reported in the wild, the nature of the vulnerability suggests that crafted filesystem data or maliciously manipulated Btrfs snapshots could trigger the fault. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating that the issue is present in certain recent kernel builds prior to the patch. No CVSS score has been assigned yet, and no public patch links are provided in the data, but the vulnerability has been officially published and enriched by CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with affected Btrfs implementations, which are common in enterprise environments, cloud infrastructure, and data centers. The impact includes potential denial of service through kernel crashes or system hangs, which can disrupt critical services and operations. Systems using Btrfs for storage, especially those leveraging compression and snapshot features, are at higher risk. The vulnerability could affect servers, virtual machines, and container hosts, leading to downtime and possible data availability issues. Although there is no indication of privilege escalation or remote code execution, the denial of service impact on critical infrastructure could have cascading effects, particularly in sectors such as finance, telecommunications, healthcare, and government services. Additionally, the inability to reliably use Btrfs send operations could affect backup and disaster recovery processes. Given the widespread use of Linux in European IT environments, the vulnerability could have broad operational implications if exploited or triggered unintentionally.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify and inventory all Linux systems using Btrfs with compression enabled, focusing on those running affected kernel versions. 2) Apply the official Linux kernel patches as soon as they become available, or upgrade to a kernel version that includes the fix for CVE-2022-48923. 3) Temporarily disable Btrfs compression or avoid using 'btrfs send' operations on vulnerable systems until patched. 4) Implement kernel crash monitoring and alerting to detect and respond quickly to any general protection faults related to Btrfs. 5) For environments using automated deployment or container orchestration, update base images and container runtimes to include patched kernels. 6) Conduct thorough testing of backup and snapshot workflows to ensure stability post-mitigation. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 8) Limit access to systems with Btrfs send capabilities to trusted administrators to reduce the risk of maliciously crafted snapshots triggering the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.296Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf7d
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:12:32 AM
Last updated: 8/7/2025, 12:56:14 AM
Views: 12
Related Threats
CVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumCVE-2025-9024: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.