Cyber Resilience

CVE-2022-49170

High

Published: 26 February 2025

Published
26 February 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49170 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49170 is an array-index-out-of-bounds vulnerability in the Linux kernel's F2FS (Flash-Friendly File System) implementation. The flaw stems from a missing sanity check on the curseg->alloc_type field, which leads to invalid out-of-bounds access of the sbi->block_count[] array in fs/f2fs/segment.c at line 3460. This issue was reported via Bugzilla (ID 215657) and observed via UBSAN during mount and operation of a corrupted F2FS image on kernels such as 5.17-rc4 and 5.17-rc6.

A local attacker with low privileges can exploit the vulnerability by mounting and performing operations on a specially crafted corrupted F2FS image, such as during umount processes involving f2fs_write_checkpoint and f2fs_allocate_data_block. This triggers the out-of-bounds access, with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicating high impacts on confidentiality, integrity, and availability, classified under CWE-129 (Improper Validation of Array Index).

Mitigation requires updating to patched Linux kernel versions via stable backports, including commits such as 0748a0f7dcb9d9dddc80302d73ebcecef6782ef0, 498b7088db71f9707359448cd6800bbb1882f4c3, c12765e3f129b144421c80d3383df885f85ee290, f41ee8b91c00770d718be2ff4852a80017ae9ab3, and f68caedf264a95c0b02dfd0d9f92ac2637d5848a from kernel.org stable trees. These patches add the required sanity check on curseg->alloc_type to prevent the invalid access.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on curseg->alloc_type As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce…

more

tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir test_crash 2. cd test_crash 3. unzip tmp2.zip 4. mkdir mnt 5. ./single_test.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] <TASK> [ 46.738563] dump_stack_lvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80 [ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs] [ 46.738819] do_write_page+0xef/0x210 [f2fs] [ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs] [ 46.739038] __write_node_page+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs] [ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs] [ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs] [ 46.739507] deactivate_locked_super+0x60/0xc0 [ 46.739517] deactivate_super+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] __cleanup_mnt+0x16/0x20 [ 46.739538] task_work_run+0x67/0xa0 [ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0 [ 46.739559] syscall_exit_to_user_mode+0x26/0x40 [ 46.739568] do_syscall_64+0x46/0xb0 [ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloc_type, result in out-of-bound accessing on sbi->block_count[] array, fix it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel OOB vulnerability in F2FS mount/operation path directly enables privilege escalation from low-privileged local attacker to full C/I/A impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49186Same product: Linux Linux Kernel
CVE-2026-23354Same product: Linux Linux Kernel
CVE-2025-71100Same product: Linux Linux Kernel
CVE-2025-21692Same product: Linux Linux Kernel
CVE-2022-49720Same product: Linux Linux Kernel
CVE-2023-52987Same product: Linux Linux Kernel
CVE-2023-53019Same product: Linux Linux Kernel
CVE-2022-49478Same product: Linux Linux Kernel
CVE-2022-49548Same product: Linux Linux Kernel
CVE-2025-71143Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.8 — 5.10.110 · 5.11 — 5.15.33 · 5.16 — 5.16.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of the Linux kernel to include the sanity check on curseg->alloc_type, preventing out-of-bounds access in F2FS.

prevent

Enforces validation of filesystem inputs such as curseg->alloc_type from corrupted F2FS images to block invalid array index usage.

preventdetect

Ensures error handling during F2FS mount and operations gracefully manages invalid alloc_type values without compromising confidentiality, integrity, or availability.

References