{ "threat_severity" : "Moderate", "public_date" : "2025-09-16T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix null-ptr-deref in ext4_write_info", "id" : "2395860", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395860" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix null-ptr-deref in ext4_write_info\nI caught a null-ptr-deref bug as follows:\n==================================================================\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339\nRIP: 0010:ext4_write_info+0x53/0x1b0\n[...]\nCall Trace:\ndquot_writeback_dquots+0x341/0x9a0\next4_sync_fs+0x19e/0x800\n__sync_filesystem+0x83/0x100\nsync_filesystem+0x89/0xf0\ngeneric_shutdown_super+0x79/0x3e0\nkill_block_super+0xa1/0x110\ndeactivate_locked_super+0xac/0x130\ndeactivate_super+0xb6/0xd0\ncleanup_mnt+0x289/0x400\n__cleanup_mnt+0x16/0x20\ntask_work_run+0x11c/0x1c0\nexit_to_user_mode_prepare+0x203/0x210\nsyscall_exit_to_user_mode+0x5b/0x3a0\ndo_syscall_64+0x59/0x70\nentry_SYSCALL_64_after_hwframe+0x44/0xa9\n==================================================================\nAbove issue may happen as follows:\n-------------------------------------\nexit_to_user_mode_prepare\ntask_work_run\n__cleanup_mnt\ncleanup_mnt\ndeactivate_super\ndeactivate_locked_super\nkill_block_super\ngeneric_shutdown_super\nshrink_dcache_for_umount\ndentry = sb->s_root\nsb->s_root = NULL <--- Here set NULL\nsync_filesystem\n__sync_filesystem\nsb->s_op->sync_fs > ext4_sync_fs\ndquot_writeback_dquots\nsb->dq_op->write_info > ext4_write_info\next4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)\nd_inode(sb->s_root)\ns_root->d_inode <--- Null pointer dereference\nTo solve this problem, we use ext4_journal_start_sb directly\nto avoid s_root being used." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50344\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50344\nhttps://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50344-8893@gregkh/T" ], "name" : "CVE-2022-50344", "csaw" : false }