Cyber Resilience

CVE-2022-49738

High

Published: 27 March 2025

Published
27 March 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0004 11.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49738 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-49738 is a slab-out-of-bounds read vulnerability in the Linux kernel's f2fs filesystem implementation. The issue arises in the is_alive() function within the garbage collection code (gc_data_segment), where a missing sanity check on the i_extra_isize field leads to invalid memory access via offset_in_addr and data_blkaddr macros. This was detected by syzbot during kernel writeback operations on a tainted 6.1.0-rc4 kernel, resulting in a KASAN-reported read of 4 bytes at an invalid slab address.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a local attack vector (AV:L). Successful exploitation triggers the out-of-bounds read during f2fs garbage collection, potentially allowing high confidentiality impact through kernel memory disclosure (C:H) and high availability impact via system crash or denial of service (A:H), with no integrity impact (I:N). The CVSS v3.1 base score is 7.1, mapped to CWE-125 (Out-of-bounds Read).

Mitigation involves applying upstream patches from the provided stable kernel commit references, which add the necessary sanity check on i_extra_isize in the affected code path. Key commits include 5b25035fb888cb2f78bf0b9c9f95b1dc54480d36, 914e38f02a490dafd980ff0f39cccedc074deb29, 97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a, d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c, and e5142a4935c1f15841d06047b8130078fc4d7b8f, backported to relevant stable branches.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_extra_isize in is_alive() syzbot found a f2fs bug: BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline] BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline] BUG:…

more

KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline] BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52 CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 data_blkaddr fs/f2fs/f2fs.h:2891 [inline] is_alive fs/f2fs/gc.c:1117 [inline] gc_data_segment fs/f2fs/gc.c:1520 [inline] do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831 f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410 f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652 writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870 wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044 wb_do_writeback fs/fs-writeback.c:2187 [inline] wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The root cause is that we forgot to do sanity check on .i_extra_isize in below path, result in accessing invalid address later, fix it. - gc_data_segment - is_alive - data_blkaddr - offset_in_addr

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Kernel OOB read enables memory disclosure for credential access via exploitation (T1212); also facilitates system crash/DoS via application or system exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-49368Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel
CVE-2026-23269Same product: Linux Linux Kernel
CVE-2022-49249Same product: Linux Linux Kernel
CVE-2026-31568Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 5.4.232 · 5.5 — 5.10.168 · 5.11 — 5.15.93

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2022-49738 by applying upstream kernel patches that add the missing sanity check on i_extra_isize in f2fs gc code, preventing the slab-out-of-bounds read.

prevent

Information input validation enforces checks on filesystem metadata like i_extra_isize before use in offset calculations, addressing the root cause of invalid memory access in is_alive().

prevent

Memory protection mechanisms such as kernel address space layout randomization and supervisor protections limit the impact of out-of-bounds reads by mitigating kernel memory disclosure and exploitation.

References