CVE-2022-50749

Root

Cause

In the Linux kernel's process accounting subsystem for process accounting (kernel/acct.c), the function encode_comp_t() converts a 64-bit value into a compressed comp_t type (a __u16). The overflow occurs because the code uses an int variable exp to accumulate the result of a left shift and addition (exp <<= MANTSIZE; exp += value;). When the computed exp exceeds the maximum value storable in a __u16 (65535), the integer wraps around, producing an incorrect compressed representation [1][2][3][4].

Exploitation

Prerequisites

This vulnerability exists in the kernel's accounting feature, which is not enabled by default in most distributions. Exploitation requires either local access to a system that has process accounting turned on (e.g., via accton) or the ability to trigger the accounting of a process with extremely large resource usage metrics. No special privileges beyond being able to execute processes are required if accounting is active; the bug is triggered automatically during normal accounting operations when the raw 64-bit value exceeds certain thresholds [1][2][3][4].

Impact

If a process accumulates a large amount of CPU time or other tracked resource, the accounting record written to the log file will contain an incorrect (wrapped) value. This can lead to misinterpretation of resource usage by monitoring tools, potentially masking excessive consumption or causing billing/auditing errors. The vulnerability itself does not provide direct privilege escalation or code execution, but it corrupts the integrity of system accounting data [1][2][3][4].

Mitigation

The fix was applied to multiple stable kernel branches via commits that ensure proper type handling, eliminating the overflow condition. System administrators should apply the latest stable kernel updates from their distribution to protect against this issue. The vulnerability is not known to be exploited in the wild and is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][3][4].