CVE-2022-49464: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: erofs: fix buffer copy overflow of ztailpacking feature I got some KASAN report as below: [ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.
AI Analysis
Technical Summary
CVE-2022-49464 is a high-severity vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation, specifically related to the ztailpacking feature. The vulnerability is a use-after-free condition (CWE-416) occurring in the function z_erofs_shifted_transform, which is responsible for decompressing data clusters (pclusters) within the filesystem. The root cause lies in the handling of tail pclusters that are no longer complete filesystem blocks when ztailpacking is enabled. This results in the second part of an uncompressed tail pcluster potentially not aligning with the expected rq->pageofs_out offset, leading to a buffer copy overflow. The kernel's KASAN (Kernel Address Sanitizer) reports confirm a use-after-free read of approximately 4KB, indicating that memory is accessed after being freed, which can lead to arbitrary code execution, privilege escalation, or system crashes. The vulnerability requires local privileges (AV:L), low attack complexity (AC:L), and low privileges (PR:L) but does not require user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as an attacker with local access could exploit this flaw to execute arbitrary code in kernel context or cause denial of service. The vulnerability affects specific Linux kernel versions identified by commit hashes, and while no known exploits are currently in the wild, the severity and nature of the flaw warrant prompt attention and patching.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux-based infrastructure, including servers, embedded devices, and cloud environments. Exploitation could lead to unauthorized privilege escalation, allowing attackers to gain root access and potentially move laterally within networks or disrupt critical services. This is particularly concerning for sectors such as finance, healthcare, government, and critical infrastructure, where Linux systems are prevalent and data confidentiality and system availability are paramount. The high severity and kernel-level nature of the vulnerability mean that successful exploitation could compromise entire systems, leading to data breaches, operational downtime, and compliance violations under regulations like GDPR. Additionally, organizations using customized or older Linux kernels may face challenges in timely patching, increasing exposure.
Mitigation Recommendations
Organizations should prioritize applying the official Linux kernel patches that address CVE-2022-49464 as soon as they become available. Until patches are deployed, limiting local access to trusted users and enforcing strict access controls can reduce exploitation risk. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and enabling kernel lockdown features can provide additional defense layers. Regularly auditing and monitoring system logs for unusual kernel activity or crashes related to EROFS can help detect exploitation attempts early. For environments where patching is delayed, consider disabling the ztailpacking feature if feasible, or avoid mounting EROFS filesystems with this feature enabled. Finally, maintaining up-to-date backups and incident response plans will aid in recovery should exploitation occur.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49464: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix buffer copy overflow of ztailpacking feature I got some KASAN report as below: [ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.
AI-Powered Analysis
Technical Analysis
CVE-2022-49464 is a high-severity vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation, specifically related to the ztailpacking feature. The vulnerability is a use-after-free condition (CWE-416) occurring in the function z_erofs_shifted_transform, which is responsible for decompressing data clusters (pclusters) within the filesystem. The root cause lies in the handling of tail pclusters that are no longer complete filesystem blocks when ztailpacking is enabled. This results in the second part of an uncompressed tail pcluster potentially not aligning with the expected rq->pageofs_out offset, leading to a buffer copy overflow. The kernel's KASAN (Kernel Address Sanitizer) reports confirm a use-after-free read of approximately 4KB, indicating that memory is accessed after being freed, which can lead to arbitrary code execution, privilege escalation, or system crashes. The vulnerability requires local privileges (AV:L), low attack complexity (AC:L), and low privileges (PR:L) but does not require user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as an attacker with local access could exploit this flaw to execute arbitrary code in kernel context or cause denial of service. The vulnerability affects specific Linux kernel versions identified by commit hashes, and while no known exploits are currently in the wild, the severity and nature of the flaw warrant prompt attention and patching.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux-based infrastructure, including servers, embedded devices, and cloud environments. Exploitation could lead to unauthorized privilege escalation, allowing attackers to gain root access and potentially move laterally within networks or disrupt critical services. This is particularly concerning for sectors such as finance, healthcare, government, and critical infrastructure, where Linux systems are prevalent and data confidentiality and system availability are paramount. The high severity and kernel-level nature of the vulnerability mean that successful exploitation could compromise entire systems, leading to data breaches, operational downtime, and compliance violations under regulations like GDPR. Additionally, organizations using customized or older Linux kernels may face challenges in timely patching, increasing exposure.
Mitigation Recommendations
Organizations should prioritize applying the official Linux kernel patches that address CVE-2022-49464 as soon as they become available. Until patches are deployed, limiting local access to trusted users and enforcing strict access controls can reduce exploitation risk. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and enabling kernel lockdown features can provide additional defense layers. Regularly auditing and monitoring system logs for unusual kernel activity or crashes related to EROFS can help detect exploitation attempts early. For environments where patching is delayed, consider disabling the ztailpacking feature if feasible, or avoid mounting EROFS filesystems with this feature enabled. Finally, maintaining up-to-date backups and incident response plans will aid in recovery should exploitation occur.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.577Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5b0c
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 7/3/2025, 3:09:32 AM
Last updated: 8/12/2025, 8:42:43 PM
Views: 17
Related Threats
CVE-2025-7384: CWE-502 Deserialization of Untrusted Data in crmperks Database for Contact Form 7, WPforms, Elementor forms
CriticalCVE-2025-8491: CWE-352 Cross-Site Request Forgery (CSRF) in nikelschubert Easy restaurant menu manager
MediumCVE-2025-0818: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ninjateam File Manager Pro – Filester
MediumCVE-2025-8901: Out of bounds write in Google Chrome
HighCVE-2025-8882: Use after free in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.