CVE-2022-50841 (GCVE-0-2022-50841)
Vulnerability from cvelistv5
Published
2025-12-30 12:10
Modified
2025-12-30 12:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Add overflow check for attribute size
The offset addition could overflow and pass the used size check given an
attribute with very large size (e.g., 0xffffff7f) while parsing MFT
attributes. This could lead to out-of-bound memory R/W if we try to
access the next attribute derived by Add2Ptr(attr, asize)
[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067
[ 32.964301] #PF: supervisor read access in kernel mode
[ 32.964526] #PF: error_code(0x0000) - not-present page
[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0
[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6
[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110
[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a
[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283
[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f
[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8
[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f
[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000
[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170
[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000
[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0
[ 32.972098] Call Trace:
[ 32.972842] <TASK>
[ 32.973341] ni_enum_attr_ex+0xda/0xf0
[ 32.974087] ntfs_iget5+0x1db/0xde0
[ 32.974386] ? slab_post_alloc_hook+0x53/0x270
[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0
[ 32.975115] ntfs_fill_super+0x5d6/0x12a0
[ 32.975336] get_tree_bdev+0x175/0x270
[ 32.975709] ? put_ntfs+0x150/0x150
[ 32.975956] ntfs_fs_get_tree+0x15/0x20
[ 32.976191] vfs_get_tree+0x2a/0xc0
[ 32.976374] ? capable+0x19/0x20
[ 32.976572] path_mount+0x484/0xaa0
[ 32.977025] ? putname+0x57/0x70
[ 32.977380] do_mount+0x80/0xa0
[ 32.977555] __x64_sys_mount+0x8b/0xe0
[ 32.978105] do_syscall_64+0x3b/0x90
[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 32.979311] RIP: 0033:0x7fdab72e948a
[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a
[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0
[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020
[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0
[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff
[ 32.984094] </TASK>
[ 32.984352] Modules linked in:
[ 32.984753] CR2: ffff956a83c76067
[ 32.985911] ---[ end trace 0000000000000000 ]---
[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110
[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a
[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283
[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f
[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8
[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f
[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000
[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170
[ 32.991011] FS:
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/record.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4489ba8fb806e07b43eecca5e9af5865d94cbf6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1f0b873cf6ac1f00a749707d866494ed0708978",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e19c6277652efba203af4ecd8eed4bd30a0054c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/record.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add overflow check for attribute size\n\nThe offset addition could overflow and pass the used size check given an\nattribute with very large size (e.g., 0xffffff7f) while parsing MFT\nattributes. This could lead to out-of-bound memory R/W if we try to\naccess the next attribute derived by Add2Ptr(attr, asize)\n\n[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067\n[ 32.964301] #PF: supervisor read access in kernel mode\n[ 32.964526] #PF: error_code(0x0000) - not-present page\n[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0\n[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6\n[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110\n[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\n[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\n[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\n[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\n[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\n[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\n[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\n[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000\n[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0\n[ 32.972098] Call Trace:\n[ 32.972842] \u003cTASK\u003e\n[ 32.973341] ni_enum_attr_ex+0xda/0xf0\n[ 32.974087] ntfs_iget5+0x1db/0xde0\n[ 32.974386] ? slab_post_alloc_hook+0x53/0x270\n[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0\n[ 32.975115] ntfs_fill_super+0x5d6/0x12a0\n[ 32.975336] get_tree_bdev+0x175/0x270\n[ 32.975709] ? put_ntfs+0x150/0x150\n[ 32.975956] ntfs_fs_get_tree+0x15/0x20\n[ 32.976191] vfs_get_tree+0x2a/0xc0\n[ 32.976374] ? capable+0x19/0x20\n[ 32.976572] path_mount+0x484/0xaa0\n[ 32.977025] ? putname+0x57/0x70\n[ 32.977380] do_mount+0x80/0xa0\n[ 32.977555] __x64_sys_mount+0x8b/0xe0\n[ 32.978105] do_syscall_64+0x3b/0x90\n[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 32.979311] RIP: 0033:0x7fdab72e948a\n[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5\n[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a\n[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0\n[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020\n[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0\n[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 32.984094] \u003c/TASK\u003e\n[ 32.984352] Modules linked in:\n[ 32.984753] CR2: ffff956a83c76067\n[ 32.985911] ---[ end trace 0000000000000000 ]---\n[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110\n[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\n[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\n[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\n[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\n[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\n[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\n[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\n[ 32.991011] FS: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:59.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4489ba8fb806e07b43eecca5e9af5865d94cbf6"
},
{
"url": "https://git.kernel.org/stable/c/a1f0b873cf6ac1f00a749707d866494ed0708978"
},
{
"url": "https://git.kernel.org/stable/c/0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d"
},
{
"url": "https://git.kernel.org/stable/c/e19c6277652efba203af4ecd8eed4bd30a0054c9"
}
],
"title": "fs/ntfs3: Add overflow check for attribute size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50841",
"datePublished": "2025-12-30T12:10:59.743Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2025-12-30T12:10:59.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50841\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:15:58.677\",\"lastModified\":\"2025-12-31T20:43:05.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Add overflow check for attribute size\\n\\nThe offset addition could overflow and pass the used size check given an\\nattribute with very large size (e.g., 0xffffff7f) while parsing MFT\\nattributes. This could lead to out-of-bound memory R/W if we try to\\naccess the next attribute derived by Add2Ptr(attr, asize)\\n\\n[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067\\n[ 32.964301] #PF: supervisor read access in kernel mode\\n[ 32.964526] #PF: error_code(0x0000) - not-present page\\n[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0\\n[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6\\n[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110\\n[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\\n[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\\n[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\\n[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\\n[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\\n[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\\n[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\\n[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000\\n[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0\\n[ 32.972098] Call Trace:\\n[ 32.972842] \u003cTASK\u003e\\n[ 32.973341] ni_enum_attr_ex+0xda/0xf0\\n[ 32.974087] ntfs_iget5+0x1db/0xde0\\n[ 32.974386] ? slab_post_alloc_hook+0x53/0x270\\n[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0\\n[ 32.975115] ntfs_fill_super+0x5d6/0x12a0\\n[ 32.975336] get_tree_bdev+0x175/0x270\\n[ 32.975709] ? put_ntfs+0x150/0x150\\n[ 32.975956] ntfs_fs_get_tree+0x15/0x20\\n[ 32.976191] vfs_get_tree+0x2a/0xc0\\n[ 32.976374] ? capable+0x19/0x20\\n[ 32.976572] path_mount+0x484/0xaa0\\n[ 32.977025] ? putname+0x57/0x70\\n[ 32.977380] do_mount+0x80/0xa0\\n[ 32.977555] __x64_sys_mount+0x8b/0xe0\\n[ 32.978105] do_syscall_64+0x3b/0x90\\n[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[ 32.979311] RIP: 0033:0x7fdab72e948a\\n[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\\n[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5\\n[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a\\n[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0\\n[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020\\n[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0\\n[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff\\n[ 32.984094] \u003c/TASK\u003e\\n[ 32.984352] Modules linked in:\\n[ 32.984753] CR2: ffff956a83c76067\\n[ 32.985911] ---[ end trace 0000000000000000 ]---\\n[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110\\n[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\\n[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\\n[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\\n[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\\n[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\\n[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\\n[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\\n[ 32.991011] FS: \\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a1f0b873cf6ac1f00a749707d866494ed0708978\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d4489ba8fb806e07b43eecca5e9af5865d94cbf6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e19c6277652efba203af4ecd8eed4bd30a0054c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…