CVE-2022-49763: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ntfs: fix use-after-free in ntfs_attr_find() Patch series "ntfs: fix bugs about Attribute", v2. This patchset fixes three bugs relative to Attribute in record: Patch 1 adds a sanity check to ensure that, attrs_offset field in first mft record loading from disk is within bounds. Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid dereferencing ATTR_RECORD before checking this ATTR_RECORD is within bounds. Patch 3 adds an overflow checking to avoid possible forever loop in ntfs_attr_find(). Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free detection as reported by Syzkaller. Although one of patch 1 or patch 2 can fix this, we still need both of them. Because patch 1 fixes the root cause, and patch 2 not only fixes the direct cause, but also fixes the potential out-of-bounds bug. This patch (of 3): Syzkaller reported use-after-free read as follows: ================================================================== BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607 [...] Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845 ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854 mount_bdev+0x34d/0x410 fs/super.c:1400 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> The buggy address belongs to the physical page: page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350 head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Kernel will loads $MFT/$DATA's first mft record in ntfs_read_inode_mount(). Yet the problem is that after loading, kernel doesn't check whether attrs_offset field is a valid value. To be more specific, if attrs_offset field is larger than bytes_allocated field, then it may trigger the out-of-bounds read bug(reported as use-after-free bug) in ntfs_attr_find(), when kernel tries to access the corresponding mft record's attribute. This patch solves it by adding the sanity check between attrs_offset field and bytes_allocated field, after loading the first mft record.
AI Analysis
Technical Summary
CVE-2022-49763 is a vulnerability in the Linux kernel's NTFS filesystem driver, specifically within the ntfs_attr_find() function. The flaw arises due to insufficient validation of the attrs_offset field in the first Master File Table (MFT) record loaded from disk. The vulnerability manifests as a use-after-free (UAF) condition triggered when the attrs_offset value exceeds the bytes_allocated field, leading to out-of-bounds memory access. This improper bounds checking can cause the kernel to dereference invalid memory regions during NTFS attribute parsing, potentially resulting in kernel crashes or memory corruption. The issue was identified through KASAN (Kernel Address Sanitizer) reports generated by the Syzkaller fuzzing tool. The patch series addressing this vulnerability includes three key fixes: (1) adding a sanity check to ensure attrs_offset is within valid bounds relative to bytes_allocated, (2) moving attribute record bounds checking earlier to prevent dereferencing before validation, and (3) adding overflow checks to prevent infinite loops in ntfs_attr_find(). Together, these patches mitigate the root cause and related out-of-bounds bugs. The vulnerability affects Linux kernel versions prior to the patch and is triggered during mounting of NTFS volumes, which is common in dual-boot or external drive scenarios. Exploitation requires the attacker to supply a malicious NTFS filesystem image or device that triggers the faulty attribute parsing logic. While no known exploits are reported in the wild, the vulnerability poses a risk of local privilege escalation or denial of service via kernel memory corruption.
Potential Impact
For European organizations, this vulnerability could have significant impact especially in environments where Linux systems mount NTFS filesystems—common in enterprise networks with mixed OS environments or where external NTFS-formatted storage devices are used. Successful exploitation could lead to kernel crashes causing denial of service, or potentially enable privilege escalation if an attacker can craft malicious NTFS images or devices. This risk is heightened in sectors with high reliance on Linux servers or workstations that interact with Windows-based storage media, such as financial institutions, manufacturing, and critical infrastructure. Additionally, organizations using Linux-based virtual machines or containers that mount NTFS volumes could be affected. The vulnerability undermines system stability and security, potentially disrupting business operations and exposing sensitive data if attackers gain elevated privileges.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2022-49763. Specifically, update to kernel versions that include the three-part patch series fixing the attrs_offset validation and attribute record bounds checking. For environments where immediate patching is not feasible, mitigate risk by restricting or monitoring the mounting of NTFS filesystems, especially from untrusted or external sources. Implement strict access controls and device usage policies to prevent unauthorized insertion of NTFS-formatted media. Employ kernel hardening techniques such as enabling KASAN or other memory safety tools in testing environments to detect similar issues proactively. Additionally, consider using alternative filesystems for external storage or virtual disk images where possible to reduce exposure. Regularly audit and monitor system logs for unusual mount operations or kernel errors related to NTFS handling.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49763: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ntfs: fix use-after-free in ntfs_attr_find() Patch series "ntfs: fix bugs about Attribute", v2. This patchset fixes three bugs relative to Attribute in record: Patch 1 adds a sanity check to ensure that, attrs_offset field in first mft record loading from disk is within bounds. Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid dereferencing ATTR_RECORD before checking this ATTR_RECORD is within bounds. Patch 3 adds an overflow checking to avoid possible forever loop in ntfs_attr_find(). Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free detection as reported by Syzkaller. Although one of patch 1 or patch 2 can fix this, we still need both of them. Because patch 1 fixes the root cause, and patch 2 not only fixes the direct cause, but also fixes the potential out-of-bounds bug. This patch (of 3): Syzkaller reported use-after-free read as follows: ================================================================== BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607 [...] Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845 ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854 mount_bdev+0x34d/0x410 fs/super.c:1400 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> The buggy address belongs to the physical page: page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350 head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Kernel will loads $MFT/$DATA's first mft record in ntfs_read_inode_mount(). Yet the problem is that after loading, kernel doesn't check whether attrs_offset field is a valid value. To be more specific, if attrs_offset field is larger than bytes_allocated field, then it may trigger the out-of-bounds read bug(reported as use-after-free bug) in ntfs_attr_find(), when kernel tries to access the corresponding mft record's attribute. This patch solves it by adding the sanity check between attrs_offset field and bytes_allocated field, after loading the first mft record.
AI-Powered Analysis
Technical Analysis
CVE-2022-49763 is a vulnerability in the Linux kernel's NTFS filesystem driver, specifically within the ntfs_attr_find() function. The flaw arises due to insufficient validation of the attrs_offset field in the first Master File Table (MFT) record loaded from disk. The vulnerability manifests as a use-after-free (UAF) condition triggered when the attrs_offset value exceeds the bytes_allocated field, leading to out-of-bounds memory access. This improper bounds checking can cause the kernel to dereference invalid memory regions during NTFS attribute parsing, potentially resulting in kernel crashes or memory corruption. The issue was identified through KASAN (Kernel Address Sanitizer) reports generated by the Syzkaller fuzzing tool. The patch series addressing this vulnerability includes three key fixes: (1) adding a sanity check to ensure attrs_offset is within valid bounds relative to bytes_allocated, (2) moving attribute record bounds checking earlier to prevent dereferencing before validation, and (3) adding overflow checks to prevent infinite loops in ntfs_attr_find(). Together, these patches mitigate the root cause and related out-of-bounds bugs. The vulnerability affects Linux kernel versions prior to the patch and is triggered during mounting of NTFS volumes, which is common in dual-boot or external drive scenarios. Exploitation requires the attacker to supply a malicious NTFS filesystem image or device that triggers the faulty attribute parsing logic. While no known exploits are reported in the wild, the vulnerability poses a risk of local privilege escalation or denial of service via kernel memory corruption.
Potential Impact
For European organizations, this vulnerability could have significant impact especially in environments where Linux systems mount NTFS filesystems—common in enterprise networks with mixed OS environments or where external NTFS-formatted storage devices are used. Successful exploitation could lead to kernel crashes causing denial of service, or potentially enable privilege escalation if an attacker can craft malicious NTFS images or devices. This risk is heightened in sectors with high reliance on Linux servers or workstations that interact with Windows-based storage media, such as financial institutions, manufacturing, and critical infrastructure. Additionally, organizations using Linux-based virtual machines or containers that mount NTFS volumes could be affected. The vulnerability undermines system stability and security, potentially disrupting business operations and exposing sensitive data if attackers gain elevated privileges.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2022-49763. Specifically, update to kernel versions that include the three-part patch series fixing the attrs_offset validation and attribute record bounds checking. For environments where immediate patching is not feasible, mitigate risk by restricting or monitoring the mounting of NTFS filesystems, especially from untrusted or external sources. Implement strict access controls and device usage policies to prevent unauthorized insertion of NTFS-formatted media. Employ kernel hardening techniques such as enabling KASAN or other memory safety tools in testing environments to detect similar issues proactively. Additionally, consider using alternative filesystems for external storage or virtual disk images where possible to reduce exposure. Regularly audit and monitor system logs for unusual mount operations or kernel errors related to NTFS handling.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T07:17:33.804Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4ac3
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:11:41 AM
Last updated: 8/12/2025, 12:49:00 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.