CVE-2022-49846 (GCVE-0-2022-49846)

Vulnerability from cvelistv5 – Published: 2025-05-01 14:10 – Updated: 2025-10-01 16:59
VLAI?
Title
udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
Summary
In the Linux kernel, the following vulnerability has been resolved: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() Syzbot reported a slab-out-of-bounds Write bug: loop0: detected capacity change from 0 to 2048 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 memcpy+0x3c/0x60 mm/kasan/shadow.c:66 udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_creat fs/open.c:1402 [inline] __se_sys_creat fs/open.c:1396 [inline] __x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ffab0d164d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 3610: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:576 [inline] udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_creat fs/open.c:1402 [inline] __se_sys_creat fs/open.c:1396 [inline] __x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff8880123ff800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 150 bytes inside of 256-byte region [ffff8880123ff800, ffff8880123ff900) The buggy address belongs to the physical page: page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123fe head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 create_dummy_stack mm/page_owner.c: ---truncated---
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < 583fdd98d94acba1e7225e5cc29063aef0741030 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < f1517721c408631f09d54c743aa70cb07fd3eebd (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < 7a6051d734f1ed0031e2216f9a538621235c11a4 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < d8971f410739a864c537e0ac29344a7b6c450232 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < 03f9582a6a2ebd25a440896475c968428c4b63e7 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < c736ed8541605e3a25075bb1cbf8f38cb3083238 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < ac79001b8e603226fab17240a79cb9ef679d3cd9 (git)
Affected: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 , < c8af247de385ce49afabc3bf1cf4fd455c94bfe8 (git)
Create a notification for this product.
    Linux Linux Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 4.9.334 , ≤ 4.9.* (semver)
Unaffected: 4.14.300 , ≤ 4.14.* (semver)
Unaffected: 4.19.267 , ≤ 4.19.* (semver)
Unaffected: 5.4.225 , ≤ 5.4.* (semver)
Unaffected: 5.10.155 , ≤ 5.10.* (semver)
Unaffected: 5.15.79 , ≤ 5.15.* (semver)
Unaffected: 6.0.9 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:59:56.467928Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:59:59.989Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "583fdd98d94acba1e7225e5cc29063aef0741030",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "f1517721c408631f09d54c743aa70cb07fd3eebd",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "7a6051d734f1ed0031e2216f9a538621235c11a4",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "d8971f410739a864c537e0ac29344a7b6c450232",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "03f9582a6a2ebd25a440896475c968428c4b63e7",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "c736ed8541605e3a25075bb1cbf8f38cb3083238",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "ac79001b8e603226fab17240a79cb9ef679d3cd9",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            },
            {
              "lessThan": "c8af247de385ce49afabc3bf1cf4fd455c94bfe8",
              "status": "affected",
              "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.334",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.300",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.267",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.225",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.334",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.300",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.267",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.225",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.155",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.79",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.9",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix a slab-out-of-bounds write bug in udf_find_entry()\n\nSyzbot reported a slab-out-of-bounds Write bug:\n\nloop0: detected capacity change from 0 to 2048\n==================================================================\nBUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0\nfs/udf/namei.c:253\nWrite of size 105 at addr ffff8880123ff896 by task syz-executor323/3610\n\nCPU: 0 PID: 3610 Comm: syz-executor323 Not tainted\n6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/11/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189\n memcpy+0x3c/0x60 mm/kasan/shadow.c:66\n udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ffab0d164d9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9\nRDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180\nRBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 3610:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:576 [inline]\n udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe buggy address belongs to the object at ffff8880123ff800\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 150 bytes inside of\n 256-byte region [ffff8880123ff800, ffff8880123ff900)\n\nThe buggy address belongs to the physical page:\npage:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000\nindex:0x0 pfn:0x123fe\nhead:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),\npid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0\n create_dummy_stack mm/page_owner.c:\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:46:46.900Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/583fdd98d94acba1e7225e5cc29063aef0741030"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1517721c408631f09d54c743aa70cb07fd3eebd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a6051d734f1ed0031e2216f9a538621235c11a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8971f410739a864c537e0ac29344a7b6c450232"
        },
        {
          "url": "https://git.kernel.org/stable/c/03f9582a6a2ebd25a440896475c968428c4b63e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c736ed8541605e3a25075bb1cbf8f38cb3083238"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac79001b8e603226fab17240a79cb9ef679d3cd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8af247de385ce49afabc3bf1cf4fd455c94bfe8"
        }
      ],
      "title": "udf: Fix a slab-out-of-bounds write bug in udf_find_entry()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49846",
    "datePublished": "2025-05-01T14:10:00.703Z",
    "dateReserved": "2025-05-01T14:05:17.230Z",
    "dateUpdated": "2025-10-01T16:59:59.989Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-49846\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T16:59:56.467928Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T14:34:44.380Z\"}}], \"cna\": {\"title\": \"udf: Fix a slab-out-of-bounds write bug in udf_find_entry()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"583fdd98d94acba1e7225e5cc29063aef0741030\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"f1517721c408631f09d54c743aa70cb07fd3eebd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"7a6051d734f1ed0031e2216f9a538621235c11a4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"d8971f410739a864c537e0ac29344a7b6c450232\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"03f9582a6a2ebd25a440896475c968428c4b63e7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"c736ed8541605e3a25075bb1cbf8f38cb3083238\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"ac79001b8e603226fab17240a79cb9ef679d3cd9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"066b9cded00b8e3212df74a417bb074f3f3a1fe0\", \"lessThan\": \"c8af247de385ce49afabc3bf1cf4fd455c94bfe8\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/udf/namei.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.9.334\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.9.*\"}, {\"status\": \"unaffected\", \"version\": \"4.14.300\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.267\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.225\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.155\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.79\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.0.9\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.0.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/udf/namei.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/583fdd98d94acba1e7225e5cc29063aef0741030\"}, {\"url\": \"https://git.kernel.org/stable/c/f1517721c408631f09d54c743aa70cb07fd3eebd\"}, {\"url\": \"https://git.kernel.org/stable/c/7a6051d734f1ed0031e2216f9a538621235c11a4\"}, {\"url\": \"https://git.kernel.org/stable/c/d8971f410739a864c537e0ac29344a7b6c450232\"}, {\"url\": \"https://git.kernel.org/stable/c/03f9582a6a2ebd25a440896475c968428c4b63e7\"}, {\"url\": \"https://git.kernel.org/stable/c/c736ed8541605e3a25075bb1cbf8f38cb3083238\"}, {\"url\": \"https://git.kernel.org/stable/c/ac79001b8e603226fab17240a79cb9ef679d3cd9\"}, {\"url\": \"https://git.kernel.org/stable/c/c8af247de385ce49afabc3bf1cf4fd455c94bfe8\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudf: Fix a slab-out-of-bounds write bug in udf_find_entry()\\n\\nSyzbot reported a slab-out-of-bounds Write bug:\\n\\nloop0: detected capacity change from 0 to 2048\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0\\nfs/udf/namei.c:253\\nWrite of size 105 at addr ffff8880123ff896 by task syz-executor323/3610\\n\\nCPU: 0 PID: 3610 Comm: syz-executor323 Not tainted\\n6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\\nGoogle 10/11/2022\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\\n print_address_description+0x74/0x340 mm/kasan/report.c:284\\n print_report+0x107/0x1f0 mm/kasan/report.c:395\\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\\n kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189\\n memcpy+0x3c/0x60 mm/kasan/shadow.c:66\\n udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253\\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\\n lookup_open fs/namei.c:3391 [inline]\\n open_last_lookups fs/namei.c:3481 [inline]\\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\\n do_sys_open fs/open.c:1326 [inline]\\n __do_sys_creat fs/open.c:1402 [inline]\\n __se_sys_creat fs/open.c:1396 [inline]\\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\nRIP: 0033:0x7ffab0d164d9\\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89\\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055\\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9\\nRDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180\\nRBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000\\nR10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n \u003c/TASK\u003e\\n\\nAllocated by task 3610:\\n kasan_save_stack mm/kasan/common.c:45 [inline]\\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\\n kmalloc include/linux/slab.h:576 [inline]\\n udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243\\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\\n lookup_open fs/namei.c:3391 [inline]\\n open_last_lookups fs/namei.c:3481 [inline]\\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\\n do_sys_open fs/open.c:1326 [inline]\\n __do_sys_creat fs/open.c:1402 [inline]\\n __se_sys_creat fs/open.c:1396 [inline]\\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe buggy address belongs to the object at ffff8880123ff800\\n which belongs to the cache kmalloc-256 of size 256\\nThe buggy address is located 150 bytes inside of\\n 256-byte region [ffff8880123ff800, ffff8880123ff900)\\n\\nThe buggy address belongs to the physical page:\\npage:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000\\nindex:0x0 pfn:0x123fe\\nhead:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0\\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\\nraw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40\\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\npage_owner tracks the page as allocated\\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),\\npid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0\\n create_dummy_stack mm/page_owner.c:\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.334\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.300\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.267\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.225\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.155\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.79\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0.9\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1\", \"versionStartIncluding\": \"4.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T08:46:46.900Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-49846\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T16:59:59.989Z\", \"dateReserved\": \"2025-05-01T14:05:17.230Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-05-01T14:10:00.703Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.