CVE-2022-50673

Vulnerability

CVE-2022-50673 is a use-after-free vulnerability in the Linux kernel's ext4 filesystem, specifically in the ext4_orphan_cleanup function. The root cause is that when ext4_inode_attach_jinode() fails (e.g., due to an -ENOMEM error), the function does not propagate the error return value appropriately. As a result, the orphan cleanup loop continues to use a second iteration using a stale orphan inode pointer that has already been freed, leading to a use-after-free condition [1][2][3].

Exploitation

An attacker can trigger this vulnerability by mounting a specially crafted ext4 filesystem image that contains orphan inodes. The attack requires local access to the system and the ability to mount a filesystem, which typically requires root or privileged capabilities. During the mount process, the kernel's ext4_fill_super function calls ext4_orphan_cleanup, which iterates over the orphan list. If the first orphan inode's truncation fails due to memory allocation failure, the inode is freed, but the loop continues with the same orphan inode pointer, causing the use-after-free [1][2][3].

Impact

Successful exploitation could allow an attacker to cause a denial of service (system crash) or potentially escalate privileges, or potentially execute arbitrary code in the kernel context, depending on the system's memory layout and the attacker's ability to control the freed memory. The vulnerability is rated with a CVSS v3.1 score of 7.8 (High) due to its impact on confidentiality, integrity, and availability [1][1][2][3].

Mitigation

The fix has been applied to the Linux kernel stable tree. Users should update to a kernel version containing the commit that propagates the return value of ext4_inode_attach_jinode() appropriately, preventing the use-after-free. The fix is included in kernel versions 6.1.0-rc3-next and later, as well as in subsequent stable releases [1][2][3].