Cyber Resilience

CVE-2022-49078

High

Published: 26 February 2025

Published
26 February 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49078 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49078 is a vulnerability in the Linux kernel's LZ4 decompression implementation, specifically in the LZ4_decompress_safe_partial function used for partial decoding. In extreme corner cases with suitably corrupted compressed data, the function can trigger a read out of bounds, leading to a Use After Free condition (CWE-416). This issue stems from the kernel's lib/lz4 code, which was ported from LZ4 v1.8.3, and was identified via KASAN reporting.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves providing malformed compressed data to the LZ4_decompress_safe_partial routine, potentially resulting in out-of-bounds reads and subsequent UAF, which could enable arbitrary code execution, data corruption, or denial of service.

Mitigation is available through patches applied to Linux kernel stable trees, including commits such as 467d5e200ab4486b744fe1776154a43d1aa22d4b, 6adc01a7aa37445dafe8846faa0610a86029b253, 73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3, 9fb8bc6cfc58773ce95414e11c9ccc8fc6ac4927, and e64dbe97c05c769525cbca099ddbd22485630235. An upstream fix exists in the LZ4 library at commit c5d6f8a8be3927c0bec91bcc58667a6cfad244ad, though kernel maintainers opted for a targeted fix prior to a full update to LZ4 v1.9+.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output buffer or can't proceed with reading an offset for following match. In…

more

some extreme corner cases when compressed data is suitably corrupted, UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial may lead to read out of bound problem during decoding. lz4 upstream has fixed it [2] and this issue has been disscussed here [3] before. current decompression routine was ported from lz4 v1.8.3, bumping lib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we'd better fix it first. [1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/ [2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad# [3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel UAF in LZ4 decompression directly enables local exploitation for privilege escalation to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.20 — 5.4.189 · 5.5 — 5.10.111 · 5.11 — 5.15.34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation of the out-of-bounds read and UAF flaw in the kernel's LZ4_decompress_safe_partial function through patching.

prevent

Mitigates exploitation of the memory corruption vulnerability (OOB read leading to UAF) via mechanisms like address space layout randomization and non-executable memory.

detect

Enables identification of systems vulnerable to this kernel LZ4 decompression flaw through regular vulnerability scanning.

References