Cyber Resilience

CVE-2022-49560

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0015 35.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49560 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-49560 is a slab-out-of-bounds read vulnerability in the Linux kernel's exFAT filesystem implementation, specifically within the exfat_clear_bitmap function in fs/exfat/balloc.c. The issue arises from a lack of validation for cluster numbers, which can be triggered by a truncate operation setting a file size to zero, as reported by Syzbot fuzzing. This leads to an out-of-bounds read of 8 bytes, detected by KASAN, during bitmap clearing in exfat_free_cluster as part of the truncate process in exfat_truncate and exfat_setattr.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L). Successful exploitation results in high-impact confidentiality loss (C:H) through potential exposure of sensitive kernel memory and high-impact availability disruption (A:H) via kernel crashes, but no integrity impact (I:N) in an unchanged security scope (S:U). The CVSS v3.1 base score is 7.1, classified under CWE-125 (Out-of-bounds Read).

Kernel patch commits referenced in advisories address the issue by introducing is_valid_cluster checks in exfat_clear_bitmap and exfat_set_bitmap to ensure cluster numbers are within valid ranges. The is_valid_cluster helper was moved from fs/exfat/fatent.c to a common header for reuse across exFAT source files. Mitigation requires updating to Linux kernel versions incorporating these stable branch commits, such as those at https://git.kernel.org/stable/c/2193286402df2d9c53294f7a858d5e6fd7346e08 and related patches.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: exfat: check if cluster num is valid Syzbot reported slab-out-of-bounds read in exfat_clear_bitmap. This was triggered by reproducer calling truncute with size 0, which causes the following trace: BUG: KASAN:…

more

slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174 Read of size 8 at addr ffff888115aa9508 by task syz-executor251/365 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174 exfat_free_cluster+0x25a/0x4a0 fs/exfat/fatent.c:181 __exfat_truncate+0x99e/0xe00 fs/exfat/file.c:217 exfat_truncate+0x11b/0x4f0 fs/exfat/file.c:243 exfat_setattr+0xa03/0xd40 fs/exfat/file.c:339 notify_change+0xb76/0xe10 fs/attr.c:336 do_truncate+0x1ea/0x2d0 fs/open.c:65 Move the is_valid_cluster() helper from fatent.c to a common header to make it reusable in other *.c files. And add is_valid_cluster() to validate if cluster number is within valid range in exfat_clear_bitmap() and exfat_set_bitmap().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Local kernel OOB read enables info leak for credential access (T1212) and facilitates privilege escalation exploits (T1068) via memory disclosure; also supports availability impact via crashes.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31708Same product: Linux Linux Kernel
CVE-2024-57928Same product: Linux Linux Kernel
CVE-2026-31782Same product: Linux Linux Kernel
CVE-2026-31449Same product: Linux Linux Kernel
CVE-2026-23076Same product: Linux Linux Kernel
CVE-2022-49515Same product: Linux Linux Kernel
CVE-2025-71136Same product: Linux Linux Kernel
CVE-2022-49234Same product: Linux Linux Kernel
CVE-2025-71101Same product: Linux Linux Kernel
CVE-2026-31528Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.7 — 5.10.120 · 5.11 — 5.15.45 · 5.16 — 5.17.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through kernel patching directly implements the missing is_valid_cluster checks to prevent out-of-bounds reads in exFAT bitmap operations.

prevent

Requires validation of cluster numbers as inputs to exFAT functions like exfat_clear_bitmap, addressing the root cause of invalid cluster access during truncate.

detectrespond

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2022-49560, enabling remediation before local exploitation.

References