{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ext4: fix uninititialized value in 'ext4_evict_inode'",
    "id" : "2402240",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402240"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix uninititialized value in 'ext4_evict_inode'\nSyzbot found the following issue:\n=====================================================\nBUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\next4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\nevict+0x365/0x9a0 fs/inode.c:664\niput_final fs/inode.c:1747 [inline]\niput+0x985/0xdd0 fs/inode.c:1773\n__ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361\next4_mknod+0x376/0x840 fs/ext4/namei.c:2844\nvfs_mknod+0x79d/0x830 fs/namei.c:3914\ndo_mknodat+0x47d/0xaa0\n__do_sys_mknodat fs/namei.c:3992 [inline]\n__se_sys_mknodat fs/namei.c:3989 [inline]\n__ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989\ndo_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\ndo_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\ndo_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\nentry_SYSENTER_compat_after_hwframe+0x70/0x82\nUninit was created at:\n__alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578\nalloc_pages+0xaae/0xd80 mm/mempolicy.c:2285\nalloc_slab_page mm/slub.c:1794 [inline]\nallocate_slab+0x1b5/0x1010 mm/slub.c:1939\nnew_slab mm/slub.c:1992 [inline]\n___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180\n__slab_alloc mm/slub.c:3279 [inline]\nslab_alloc_node mm/slub.c:3364 [inline]\nslab_alloc mm/slub.c:3406 [inline]\n__kmem_cache_alloc_lru mm/slub.c:3413 [inline]\nkmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429\nalloc_inode_sb include/linux/fs.h:3117 [inline]\next4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321\nalloc_inode+0x83/0x440 fs/inode.c:259\nnew_inode_pseudo fs/inode.c:1018 [inline]\nnew_inode+0x3b/0x430 fs/inode.c:1046\n__ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959\next4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992\nvfs_mkdir+0x62a/0x870 fs/namei.c:4035\ndo_mkdirat+0x466/0x7b0 fs/namei.c:4060\n__do_sys_mkdirat fs/namei.c:4075 [inline]\n__se_sys_mkdirat fs/namei.c:4073 [inline]\n__ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073\ndo_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\ndo_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\ndo_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\nentry_SYSENTER_compat_after_hwframe+0x70/0x82\nCPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n=====================================================\nNow, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed\nbefore set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after\n6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which\nwill lead to access uninit-value.\nTo solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.", "An uninitialized variable flaw was found in the Linux kernel's ext4 filesystem in the inode eviction path. \nA local user can trigger this issue by creating filesystem operations that cause inode allocation to fail before the i_flags field is initialized, followed by inode cleanup that attempts to read the uninitialized field. This causes the kernel to access uninitialized memory, resulting in unpredictable behavior and denial of service through a kernel crash." ],
  "statement" : "The ext4_alloc_inode function allocates memory for new inodes but fails to initialize the ei->i_flags field. When __ext4_new_inode encounters an error before setting i_flags and calls iput to clean up, the subsequent ext4_evict_inode function attempts to read the uninitialized i_flags value. This accesses undefined memory contents, triggering KMSAN (Kernel Memory Sanitizer) warnings and potentially causing kernel crashes or unpredictable behavior. The issue occurs during normal filesystem operations like mkdir or mknod when inode allocation fails partway through, which can happen under memory pressure or filesystem corruption. Any local user performing filesystem operations on ext4 volumes can potentially trigger this condition.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50546\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50546\nhttps://lore.kernel.org/linux-cve-announce/2025100757-CVE-2022-50546-ef71@gregkh/T" ],
  "name" : "CVE-2022-50546",
  "csaw" : false
}