CVE-2022-49464 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2022-49464?

CVE-2022-49464 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's EROFS filesystem implementation, specifically in the ztailpacking feature. It allows attackers with local access to trigger memory corruption, potentially leading to privilege escalation or system crashes. Affected systems are those running vulnerable Linux kernel versions with EROFS support enabled.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's EROFS filesystem implementation, specifically in the ztailpacking feature. It allows attackers with local access to trigger memory corruption, potentially leading to privilege escalation or system crashes. Affected systems are those running vulnerable Linux kernel versions with EROFS support enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with EROFS support before fixes in stable trees. Specifically affects versions where the vulnerability was introduced until patched.

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if EROFS filesystem with ztailpacking feature is in use. Many distributions don't enable EROFS by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, complete system compromise, or persistent denial of service through kernel panic.

🟠

Likely Case

Kernel panic causing system crash/reboot, or local privilege escalation if combined with other vulnerabilities.

🟢

If Mitigated

Limited to denial of service if proper kernel hardening and privilege separation are in place.

🌐 Internet-Facing: LOW - Requires local access to exploit, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or compromised services could exploit this for privilege escalation or DoS.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to mount/access EROFS filesystems with ztailpacking. Exploitation requires specific filesystem operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in stable kernel trees via commits: 4d53a625f29074e7b8236c2c0e0922edb7608df9, 6b59e1907f58cf877c563dcf013159eb9f994b64, dcbe6803fffd387f72b48c2373b5f5ed12a5804b

Vendor Advisory: https://git.kernel.org/stable/c/4d53a625f29074e7b8236c2c0e0922edb7608df9

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable EROFS module

Linux

Prevent loading of EROFS kernel module to mitigate vulnerability

echo 'install erofs /bin/false' >> /etc/modprobe.d/disable-erofs.conf
rmmod erofs

🧯 If You Can't Patch

Restrict access to mount EROFS filesystems to privileged users only
Implement strict privilege separation to limit impact of local user exploits

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if EROFS module is loaded: uname -r && lsmod | grep erofs

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and check for absence of KASAN reports related to z_erofs_shifted_transform

📡 Detection & Monitoring

Log Indicators:

Kernel logs showing KASAN reports for z_erofs_shifted_transform
System crashes/panics when accessing EROFS filesystems

Network Indicators:

None - local exploit only

SIEM Query:

kernel_log: "KASAN: use-after-free in z_erofs_shifted_transform" OR kernel_log: "BUG: KASAN" AND "erofs"

📊 Metadata

CVE ID: CVE-2022-49464

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.07% exploit probability (20.8th percentile)

Published: February 26, 2025

Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49464, you might also want to check these: