CVE-2022-50581
Description
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix OOB Read in __hfs_brec_find
Syzbot reported a OOB read bug:
================================================================== BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.0-rc6-syzkaller-00308-g644e9524388a #0 Workqueue: writeback wb_workfn (flush-7:0) Call Trace:
__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 write_inode fs/fs-writeback.c:1440 [inline]
If the input inode of hfs_write_inode() is incorrect: struct inode struct hfs_inode_info struct hfs_cat_key struct hfs_name u8 len # len is greater than HFS_NAMELEN(31) which is the maximum length of an HFS filename
OOB read occurred: hfs_write_inode() hfs_brec_find() __hfs_brec_find() hfs_cat_keycmp() hfs_strcmp() # OOB read occurred due to len is too large
Fix this by adding a Check on len in hfs_write_inode() before calling hfs_brec_find().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in the Linux kernel's HFS filesystem occurs when a crafted filename length exceeds HFS_NAMELEN, leading to a slab-out-of-bounds read in hfs_strcmp.
Root
Cause
In the Linux kernel's HFS filesystem, the function hfs_write_inode() fails to validate the len field of a filename stored in struct hfs_name. If len is greater than HFS_NAMELEN (31), subsequent calls to __hfs_brec_find() trigger an out-of-bounds read in hfs_strcmp(), as reported by syzbot[1][2][3][4].
Exploitation
An attacker can trigger this vulnerability by providing a crafted inode with an oversized filename length. This does not require special privileges beyond the ability to interact with the HFS filesystem (e.g., by mounting a malicious HFS image). The OOB read occurs during writeback operations, when the kernel calls hfs_write_inode() to write the inode to disk.
Impact
A slab-out-of-bounds read can cause a kernel crash or potentially leak sensitive kernel memory. The KASAN report confirms the read of size 1 at an invalid address, which may lead to system instability or information disclosure.
Mitigation
The fix adds a sanity check on len in hfs_write_inode() before calling hfs_brec_find(). This patch has been applied to the Linux kernel stable branches[1][2][3][4]. Users should update to a kernel containing the fix or apply the relevant stable commits.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
98c40f2dbae60c886c10a6edd2344f17c0a8990103ccb6e604fd3a11804c8367296925c76e9e692917c6ebfc9d8f27f898d824e69d9f3Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30nvd
- git.kernel.org/stable/c/367296925c7625c3969d2a78d7a3e1dee161beb5nvd
- git.kernel.org/stable/c/4fd3a11804c8877ff11fec59c5c53f1635331e3envd
- git.kernel.org/stable/c/8c40f2dbae603ef0bd21e87c63f54ec59fd88256nvd
- git.kernel.org/stable/c/8d824e69d9f3fa3121b2dda25053bae71e2460d2nvd
- git.kernel.org/stable/c/90103ccb6e60aa4efe48993d23d6a528472f2233nvd
- git.kernel.org/stable/c/bfc9d8f27f89717431a6aecce42ae230b437433fnvd
- git.kernel.org/stable/c/c886c10a6eddb99923b315f42bf63f448883ef9anvd
- git.kernel.org/stable/c/e9e692917c6e10a7066c7a6d092dcdc3d4e329f3nvd
News mentions
0No linked articles in our index yet.