CVE-2022-49271 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-49271?

CVE-2022-49271 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's CIFS/SMB2 implementation allows local users to cause a kernel panic or potentially escalate privileges. The flaw occurs when smb2_ioctl_query_info() receives malformed parameters, leading to improper memory handling. This affects systems using CIFS mounts with the vulnerable kernel versions.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's CIFS/SMB2 implementation allows local users to cause a kernel panic or potentially escalate privileges. The flaw occurs when smb2_ioctl_query_info() receives malformed parameters, leading to improper memory handling. This affects systems using CIFS mounts with the vulnerable kernel versions.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CIFS/SMB2 filesystem mounts to be present and accessible. The vulnerability is triggered via ioctl calls on CIFS-mounted files.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level access leading to full system compromise, or denial of service via kernel panic.

🟠

Likely Case

Local denial of service through kernel panic or system crash when malicious ioctl calls are made.

🟢

If Mitigated

Minimal impact if proper access controls restrict local users and CIFS mounts aren't used.

🌐 Internet-Facing: LOW - Requires local access to the system with CIFS mounts.

🏢 Internal Only: MEDIUM - Local users on affected systems with CIFS mounts can trigger denial of service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The CVE description includes a working C reproducer. Exploitation requires local user access to trigger the ioctl on CIFS mounts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits: 7529fbee10d82493c5cb109e51788bf74816d1c0, 9963ccea6087268e1275b992dca5d0dd4b938765, b92e358757b91c2827af112cae9af513f26a3f34, f143f8334fb9eb2f6c7c15b9da1472d9c965fd84, fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53

Vendor Advisory: https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Restrict CIFS mount access

linux

Limit access to CIFS mounts to trusted users only using filesystem permissions.

chmod 700 /mnt/cifs_mount
chown root:root /mnt/cifs_mount

Disable CIFS module

linux

Remove CIFS kernel module if not required for system functionality.

rmmod cifs
echo 'blacklist cifs' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Implement strict access controls on CIFS-mounted directories
Monitor for suspicious ioctl calls on CIFS filesystems

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if CIFS module is loaded: uname -r && lsmod | grep cifs

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits and test with the reproducer code on CIFS mounts.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning 'general protection fault' or 'null-ptr-deref' in CIFS context
System logs showing ioctl calls on CIFS files with unusual parameters

Network Indicators:

N/A - Local vulnerability only

SIEM Query:

source="kernel" AND ("general protection fault" OR "null-ptr-deref") AND "cifs"

📊 Metadata

CVE ID: CVE-2022-49271

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.05% exploit probability (16.1th percentile)

Published: February 26, 2025

Last Updated: September 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49271, you might also want to check these: