{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49349","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:08:31.544Z","datePublished":"2025-02-26T02:11:02.993Z","dateUpdated":"2025-12-23T13:23:51.821Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-12-23T13:23:51.821Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_rename_dir_prepare\n\nWe got issue as follows:\nEXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue\next4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478\next4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000\next4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae\n==================================================================\nBUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220\nRead of size 4 at addr ffff88810beee6ae by task rep/1895\n\nCPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241\nCall Trace:\n dump_stack+0xbe/0xf9\n print_address_description.constprop.0+0x1e/0x220\n kasan_report.cold+0x37/0x7f\n ext4_rename_dir_prepare+0x152/0x220\n ext4_rename+0xf44/0x1ad0\n ext4_rename2+0x11c/0x170\n vfs_rename+0xa84/0x1440\n do_renameat2+0x683/0x8f0\n __x64_sys_renameat+0x53/0x60\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\nRIP: 0033:0x7f45a6fc41c9\nRSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9\nRDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005\nRBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080\nR10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0\nR13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000\n\nThe buggy address belongs to the page:\npage:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee\nflags: 0x200000000000000()\nraw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000\nraw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n                                  ^\n ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n==================================================================\nDisabling lock debugging due to kernel taint\next4_rename_dir_prepare: [2] parent_de->inode=3537895424\next4_rename_dir_prepare: [3] dir=0xffff888124170140\next4_rename_dir_prepare: [4] ino=2\next4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872\n\nReason is first directory entry which 'rec_len' is 34478, then will get illegal\nparent entry. Now, we do not check directory entry after read directory block\nin 'ext4_get_first_dir_block'.\nTo solve this issue, check directory entry in 'ext4_get_first_dir_block'.\n\n[ Trigger an ext4_error() instead of just warning if the directory is\n  missing a '.' or '..' entry.   Also make sure we return an error code\n  if the file system is corrupted.  -TYT ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/namei.c"],"versions":[{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"1a3a15bf6f9963d755270cbdb282863b84839195","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"97f802a652a749422dede32071d29a53cf4bd034","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"10801095224de0d0ab06ae60698680c1f883a3ae","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"eaecf7ebfd5dd09038a80b14be46b844f54cfc5c","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"dd887f83ea54aea5b780a84527e23ab95f777fed","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"364380c00912bed9b5d99eb485018360b0ecf64f","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"0ff38b99fa075ddd246487a28cb9af049f4ceef1","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"4a2bea60cf7ff957b3eda0b17750d483876a02fa","status":"affected","versionType":"git"},{"version":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4","lessThan":"0be698ecbe4471fcad80e81ec6a05001421041b3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/namei.c"],"versions":[{"version":"3.8","status":"affected"},{"version":"0","lessThan":"3.8","status":"unaffected","versionType":"semver"},{"version":"4.9.318","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.283","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.247","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.198","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.121","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.46","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.14","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18.3","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"4.9.318"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"4.14.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"4.19.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.4.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.10.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.15.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.17.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195"},{"url":"https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034"},{"url":"https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae"},{"url":"https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c"},{"url":"https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed"},{"url":"https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f"},{"url":"https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1"},{"url":"https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa"},{"url":"https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3"}],"title":"ext4: fix use-after-free in ext4_rename_dir_prepare","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49349","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:16:42.619044Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:33.920Z"}}]}}