CVE-2022-49174: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit In case of flex_bg feature (which is by default enabled), extents for any given inode might span across blocks from two different block group. ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the starting block group, but it fails to read it again when the extent length boundary overflows to another block group. Then in this below loop it accesses memory beyond the block group bitmap buffer_head and results into a data abort. for (i = 0; i < clen; i++) if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state) already++; This patch adds this functionality for checking block group boundary in ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different block group. w/o this patch, I was easily able to hit a data access abort using Power platform. <...> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters [ 74.533214] EXT4-fs (loop3): shut down requested (2) [ 74.536705] Aborting journal on device loop3-8. [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000 [ 74.703727] Faulting instruction address: 0xc0000000007bffb8 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060] pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0 lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0 sp: c000000015db7300 msr: 800000000280b033 dar: c00000005e980000 dsisr: 40000000 current = 0xc000000027af6880 paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01 pid = 5167, comm = mount <...> enter ? for help [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250
AI Analysis
Technical Summary
CVE-2022-49174 is a vulnerability in the Linux kernel's ext4 filesystem implementation related to the handling of block bitmaps when the flex_bg feature is enabled (which is the default setting). The ext4_mb_mark_bb() function is responsible for marking blocks in the block bitmap during allocation. However, when an extent spans across blocks from two different block groups, the function only reads the buffer_head of the block bitmap once for the starting block group and fails to update it when the extent crosses into another block group. This leads to out-of-bounds memory access beyond the block group bitmap buffer_head, causing a data abort and kernel crash. The vulnerability manifests as an ext4 filesystem error, inconsistent block bitmap and block group descriptor counts, and ultimately a kernel panic or journal abort. The issue was demonstrated on the Power platform, but it is inherent to the ext4 code path and could affect other architectures using ext4 with flex_bg enabled. The root cause is a missing boundary check and buffer update in ext4_mb_mark_bb(), which was fixed by adding logic to handle block group boundaries correctly and update the buffer_head accordingly. Exploitation does not require user interaction but does require the ability to trigger filesystem operations that allocate extents spanning block groups, such as mounting or writing to ext4 filesystems. No known exploits are reported in the wild, and no CVSS score is assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk of denial of service through kernel crashes or filesystem corruption on Linux systems using ext4 with flex_bg enabled. Since ext4 is the default filesystem for many Linux distributions widely used in Europe, including servers, desktops, and embedded devices, the impact could be significant. A successful exploitation could lead to system instability, data loss, or downtime, affecting critical infrastructure, enterprise servers, cloud environments, and industrial control systems running Linux. The vulnerability could be triggered by local users or processes with filesystem access, potentially including containerized environments or virtual machines using ext4-backed storage. While there is no indication of remote exploitation, the risk to availability and data integrity is notable, especially for organizations relying on ext4 for critical workloads. Recovery from crashes may require filesystem checks and restores, increasing operational overhead and risk of data loss.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2022-49174. Kernel updates from major Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. In environments where immediate patching is not feasible, administrators should avoid workloads that cause extents to span multiple block groups, such as large file writes or certain mount operations, although this is a limited workaround. Monitoring kernel logs for ext4 errors or data aborts can help detect attempts to trigger the vulnerability. Additionally, implementing filesystem integrity monitoring and regular backups will mitigate data loss risks. For containerized or virtualized environments, ensure host kernels are patched and consider isolating workloads that heavily use ext4. Finally, organizations should review their incident response plans to handle potential ext4 filesystem corruption or kernel panics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2022-49174: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit In case of flex_bg feature (which is by default enabled), extents for any given inode might span across blocks from two different block group. ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the starting block group, but it fails to read it again when the extent length boundary overflows to another block group. Then in this below loop it accesses memory beyond the block group bitmap buffer_head and results into a data abort. for (i = 0; i < clen; i++) if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state) already++; This patch adds this functionality for checking block group boundary in ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different block group. w/o this patch, I was easily able to hit a data access abort using Power platform. <...> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters [ 74.533214] EXT4-fs (loop3): shut down requested (2) [ 74.536705] Aborting journal on device loop3-8. [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000 [ 74.703727] Faulting instruction address: 0xc0000000007bffb8 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060] pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0 lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0 sp: c000000015db7300 msr: 800000000280b033 dar: c00000005e980000 dsisr: 40000000 current = 0xc000000027af6880 paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01 pid = 5167, comm = mount <...> enter ? for help [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250
AI-Powered Analysis
Technical Analysis
CVE-2022-49174 is a vulnerability in the Linux kernel's ext4 filesystem implementation related to the handling of block bitmaps when the flex_bg feature is enabled (which is the default setting). The ext4_mb_mark_bb() function is responsible for marking blocks in the block bitmap during allocation. However, when an extent spans across blocks from two different block groups, the function only reads the buffer_head of the block bitmap once for the starting block group and fails to update it when the extent crosses into another block group. This leads to out-of-bounds memory access beyond the block group bitmap buffer_head, causing a data abort and kernel crash. The vulnerability manifests as an ext4 filesystem error, inconsistent block bitmap and block group descriptor counts, and ultimately a kernel panic or journal abort. The issue was demonstrated on the Power platform, but it is inherent to the ext4 code path and could affect other architectures using ext4 with flex_bg enabled. The root cause is a missing boundary check and buffer update in ext4_mb_mark_bb(), which was fixed by adding logic to handle block group boundaries correctly and update the buffer_head accordingly. Exploitation does not require user interaction but does require the ability to trigger filesystem operations that allocate extents spanning block groups, such as mounting or writing to ext4 filesystems. No known exploits are reported in the wild, and no CVSS score is assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk of denial of service through kernel crashes or filesystem corruption on Linux systems using ext4 with flex_bg enabled. Since ext4 is the default filesystem for many Linux distributions widely used in Europe, including servers, desktops, and embedded devices, the impact could be significant. A successful exploitation could lead to system instability, data loss, or downtime, affecting critical infrastructure, enterprise servers, cloud environments, and industrial control systems running Linux. The vulnerability could be triggered by local users or processes with filesystem access, potentially including containerized environments or virtual machines using ext4-backed storage. While there is no indication of remote exploitation, the risk to availability and data integrity is notable, especially for organizations relying on ext4 for critical workloads. Recovery from crashes may require filesystem checks and restores, increasing operational overhead and risk of data loss.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2022-49174. Kernel updates from major Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. In environments where immediate patching is not feasible, administrators should avoid workloads that cause extents to span multiple block groups, such as large file writes or certain mount operations, although this is a limited workaround. Monitoring kernel logs for ext4 errors or data aborts can help detect attempts to trigger the vulnerability. Additionally, implementing filesystem integrity monitoring and regular backups will mitigate data loss risks. For containerized or virtualized environments, ensure host kernels are patched and consider isolating workloads that heavily use ext4. Finally, organizations should review their incident response plans to handle potential ext4 filesystem corruption or kernel panics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.280Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5166
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 3:43:23 AM
Last updated: 8/12/2025, 2:02:00 PM
Views: 13
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.