CVE-2022-50766

The vulnerability is an initialization ordering bug in the btrfs filesystem driver within the Linux kernel. In btrfs_init_new_buffer, the function btrfs_set_header_generation() was inadvertently moved to after btrfs_clean_tree_block() during a refactoring commit (bc877d285ca3dba2). However, btrfs_clean_tree_block() reads the header generation via btrfs_header_generation(), expecting it to be set before the cleanup call. This results in an uninitialized value being used [1].

The attack surface is local; an attacker would need the ability to trigger btrfs buffer initialization operations, which typically requires user privileges to mount and interact with btrfs filesystems. The bug is triggered during normal file system operations, making it exploitable without special conditions [2].

The impact includes reading uninitialized kernel memory, which could lead to information disclosure (leaking sensitive kernel data) or a kernel crash (denial of service). The kernel's syzbot fuzzer reported this as an "uninit-value" bug, indicating potential for instability or data exposure.

Mitigation is available through stable kernel updates. The fix (re-adding btrfs_set_header_generation() before btrfs_clean_tree_block()) has been applied in the Linux kernel stable branches. Users should update their kernels to include the patched versions referenced in commits [1] and [2].