{ "threat_severity" : "Moderate", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix use-after-free in ext4_orphan_cleanup", "id" : "2420347", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420347" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix use-after-free in ext4_orphan_cleanup\nI caught a issue as follows:\n==================================================================\nBUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\nRead of size 8 at addr ffff88814b13f378 by task mount/710\nCPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\nCall Trace:\n\ndump_stack_lvl+0x73/0x9f\nprint_report+0x25d/0x759\nkasan_report+0xc0/0x120\n__asan_load8+0x99/0x140\n__list_add_valid+0x28/0x1a0\next4_orphan_cleanup+0x564/0x9d0 [ext4]\n__ext4_fill_super+0x48e2/0x5300 [ext4]\next4_fill_super+0x19f/0x3a0 [ext4]\nget_tree_bdev+0x27b/0x450\next4_get_tree+0x19/0x30 [ext4]\nvfs_get_tree+0x49/0x150\npath_mount+0xaae/0x1350\ndo_mount+0xe2/0x110\n__x64_sys_mount+0xf0/0x190\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[...]\n==================================================================\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\next4_orphan_cleanup\n--- loop1: assume last_orphan is 12 ---\nlist_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)\next4_truncate --> return 0\next4_inode_attach_jinode --> return -ENOMEM\niput(inode) --> free inode<12>\n--- loop2: last_orphan is still 12 ---\nlist_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);\n// use inode<12> and trigger UAF\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately.", "A use-after-free vulnerability was found in the ext4 filesystem's orphan inode cleanup routine in the Linux kernel. When ext4_inode_attach_jinode() fails with -ENOMEM during orphan cleanup at mount time, the error is not properly propagated. The inode is freed via iput(), but the orphan list still references the same inode number. On the next loop iteration, the freed inode structure is reused, triggering a use-after-free when adding it to the orphan list." ], "statement" : "This flaw occurs during ext4 filesystem mount when memory allocation fails at a specific point in orphan inode processing. Exploitation requires local access to mount ext4 filesystems and the ability to induce memory pressure during the mount operation, making practical exploitation difficult.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3634", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.147.1.rt56.1299.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3685", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.147.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2378", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.104.1.rt7.445.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2264", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.104.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-02-12T00:00:00Z", "advisory" : "RHSA-2026:2664", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.185.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3360", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.186.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3360", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.186.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2490", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.179.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2490", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.179.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2490", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.179.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3277", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.130.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3277", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.130.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2573", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.165.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2577", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.165.1.rt21.237.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3267", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.158.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3358", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50673\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50673\nhttps://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50673-f920@gregkh/T" ], "name" : "CVE-2022-50673", "csaw" : false }