CVE-2022-49408
📋 TL;DR
A memory leak vulnerability in the Linux kernel's ext4 filesystem driver allows attackers to cause kernel memory exhaustion by mounting specially crafted filesystems. This affects all Linux systems using ext4 filesystems with custom mount options. The vulnerability requires local access to mount filesystems.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attackers could mount malicious filesystems repeatedly to exhaust kernel memory, leading to system instability, denial of service, or potential kernel crashes.
Likely Case
Accidental triggering by legitimate users mounting corrupted filesystems, causing gradual memory consumption and system performance degradation.
If Mitigated
Minimal impact with proper access controls preventing unauthorized users from mounting filesystems.
🎯 Exploit Status
Reproducer provided in CVE description shows simple steps to trigger the leak. Requires local access and mount privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in Linux kernel stable branches via commits 9ea3e6168948189cec31d0678d2b55b395f88491, c069db76ed7b681c69159f44be96d2137e9ca989, f92ded66e9d0aa20b883a2a5183973abc8f41815
Vendor Advisory: https://git.kernel.org/stable/c/9ea3e6168948189cec31d0678d2b55b395f88491
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version with 'uname -r'.
🔧 Temporary Workarounds
Restrict mount privileges
linuxPrevent non-root users from mounting filesystems using discretionary access controls or SELinux/AppArmor policies.
# Remove mount capability from users
setcap -r /bin/mount
# Use SELinux to restrict mount
semanage boolean -m virt_use_nfs --off
Avoid custom mount options
linuxDo not use custom mount options like usrjquota when mounting ext4 filesystems.
# Mount without custom options
mount /dev/vdc /mnt -t ext4 -o defaults
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from mounting filesystems
- Monitor system memory usage and kernel logs for signs of memory exhaustion
🔍 How to Verify
Check if Vulnerable:
Check if system can reproduce memory leak using CVE's reproducer steps with kmemleak enabled.Check Version:
uname -rVerify Fix Applied:
After patching, attempt reproducer steps and verify no memory leaks appear in kmemleak output.📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages in /var/log/kern.log or dmesg
- Increasing kernel memory usage without clear cause
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kern.log" AND "Out of memory" OR "kernel: Out of memory"