{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50673","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-09T01:26:45.991Z","datePublished":"2025-12-09T01:29:25.220Z","dateUpdated":"2026-05-11T19:23:34.038Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:23:34.038Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x73/0x9f\n  print_report+0x25d/0x759\n  kasan_report+0xc0/0x120\n  __asan_load8+0x99/0x140\n  __list_add_valid+0x28/0x1a0\n  ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n  __ext4_fill_super+0x48e2/0x5300 [ext4]\n  ext4_fill_super+0x19f/0x3a0 [ext4]\n  get_tree_bdev+0x27b/0x450\n  ext4_get_tree+0x19/0x30 [ext4]\n  vfs_get_tree+0x49/0x150\n  path_mount+0xaae/0x1350\n  do_mount+0xe2/0x110\n  __x64_sys_mount+0xf0/0x190\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  </TASK>\n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n  ext4_orphan_cleanup\n   --- loop1: assume last_orphan is 12 ---\n    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)\n    ext4_truncate --> return 0\n      ext4_inode_attach_jinode --> return -ENOMEM\n    iput(inode) --> free inode<12>\n   --- loop2: last_orphan is still 12 ---\n    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);\n    // use inode<12> and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/inode.c"],"versions":[{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"7f801a1593cb957f73659732836b2dafbdfc7709","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"026a4490b5381229a30f23d073b58e8e35ee6858","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"7223d5e75f26352354ea2c0ccf8b579821b52adf","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"cf0e0817b0f925b70d101d7014ea81b7094e1159","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"c2bdbd4c69308835d1b6f6ba74feeccbfe113478","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"7908b8a541b1578cc61b4da7f19b604a931441da","status":"affected","versionType":"git"},{"version":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13","lessThan":"a71248b1accb2b42e4980afef4fa4a27fa0e36f5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/inode.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.87","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.18","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.4","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.15.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.0.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.1.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709"},{"url":"https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858"},{"url":"https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf"},{"url":"https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159"},{"url":"https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478"},{"url":"https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da"},{"url":"https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5"}],"title":"ext4: fix use-after-free in ext4_orphan_cleanup","x_generator":{"engine":"bippy-1.2.0"}}}}