Cyber Resilience

CVE-2022-49464

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49464 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49464 is a use-after-free vulnerability in the Linux kernel's EROFS filesystem implementation, specifically affecting the ztailpacking feature. The issue arises because the tail pcluster may not align with a complete filesystem block after decompression, causing the second part of an uncompressed tail pcluster to reference an invalid offset (rq->pageofs_out). This was detected via a KASAN report during a memcpy operation in z_erofs_shifted_transform, triggered within z_erofs_decompress_pcluster. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes on systems using affected EROFS images with ztailpacking enabled.

Mitigation involves applying the upstream kernel patches provided in the stable commit references, including 4d53a625f29074e7b8236c2c0e0922edb7608df9, 6b59e1907f58cf877c563dcf013159eb9f994b64, and dcbe6803fffd387f72b48c2373b5f5ed12a5804b, which resolve the buffer copy overflow by correctly handling tail pcluster offsets in the ztailpacking code path.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: erofs: fix buffer copy overflow of ztailpacking feature I got some KASAN report as below: [ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size…

more

4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free enabling arbitrary code execution by low-privileged attackers directly maps to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.17 — 5.17.14 · 5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely identification, reporting, and patching of the use-after-free vulnerability in the Linux kernel's EROFS ztailpacking feature to eliminate the buffer copy overflow.

prevent

Implements memory protections such as address space layout randomization and non-executable memory to mitigate exploitation of the use-after-free for arbitrary code execution or crashes.

detect

Provides vulnerability scanning to detect the presence of CVE-2022-49464 in Linux kernels, enabling prioritization and remediation of the EROFS tail pcluster offset flaw.

References