CVE-2022-49464
Published: 26 February 2025
Summary
CVE-2022-49464 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49464 is a use-after-free vulnerability in the Linux kernel's EROFS filesystem implementation, specifically affecting the ztailpacking feature. The issue arises because the tail pcluster may not align with a complete filesystem block after decompression, causing the second part of an uncompressed tail pcluster to reference an invalid offset (rq->pageofs_out). This was detected via a KASAN report during a memcpy operation in z_erofs_shifted_transform, triggered within z_erofs_decompress_pcluster. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes on systems using affected EROFS images with ztailpacking enabled.
Mitigation involves applying the upstream kernel patches provided in the stable commit references, including 4d53a625f29074e7b8236c2c0e0922edb7608df9, 6b59e1907f58cf877c563dcf013159eb9f994b64, and dcbe6803fffd387f72b48c2373b5f5ed12a5804b, which resolve the buffer copy overflow by correctly handling tail pcluster offsets in the ztailpacking code path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54765
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: erofs: fix buffer copy overflow of ztailpacking feature I got some KASAN report as below: [ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size…
more
4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free enabling arbitrary code execution by low-privileged attackers directly maps to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and patching of the use-after-free vulnerability in the Linux kernel's EROFS ztailpacking feature to eliminate the buffer copy overflow.
Implements memory protections such as address space layout randomization and non-executable memory to mitigate exploitation of the use-after-free for arbitrary code execution or crashes.
Provides vulnerability scanning to detect the presence of CVE-2022-49464 in Linux kernels, enabling prioritization and remediation of the EROFS tail pcluster offset flaw.