CVE-2022-48923
📋 TL;DR
This CVE describes a memory corruption vulnerability in the Linux kernel's Btrfs filesystem LZO compression implementation. Attackers can trigger a buffer overflow by crafting corrupted compressed data, potentially causing system crashes or arbitrary code execution. Systems using Btrfs with LZO compression are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution with kernel privileges leading to full system compromise.
Likely Case
System crash (kernel panic) or denial of service through stuck read operations.
If Mitigated
System crash without privilege escalation if kernel protections like KASLR/SMAP are effective.
🎯 Exploit Status
Requires ability to write corrupted compressed data to Btrfs volume. Exploit reliability depends on memory layout.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 741b23a970a79d5d3a1db2d64fa2c7b375a4febb, 8df508b7a44cd8110c726057cd28e8f8116885eb, or e326bd06cdde46df952361456232022298281d16
Vendor Advisory: https://git.kernel.org/stable/c/741b23a970a79d5d3a1db2d64fa2c7b375a4febb
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable LZO compression on Btrfs
linuxDisable LZO compression on Btrfs filesystems to prevent exploitation
btrfs property set /mountpoint compression none
Use alternative compression
linuxSwitch to ZLIB or ZSTD compression instead of LZO
btrfs property set /mountpoint compression zlib
🧯 If You Can't Patch
- Disable Btrfs LZO compression on all volumes
- Restrict filesystem write access to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if Btrfs with LZO compression is in use: 'btrfs filesystem show' and 'btrfs property get /mountpoint compression'Check Version:
uname -rVerify Fix Applied:
Check kernel version contains fix commits: 'uname -r' and verify with distribution security advisories📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing 'general protection fault' in btrfs/lzo context
- System crashes or stuck read operations on Btrfs volumes
Network Indicators:
- None - local filesystem vulnerability
SIEM Query:
source="kernel" AND ("general protection fault" OR "#GP") AND ("btrfs" OR "lzo")