CVE-2022-49560
📋 TL;DR
A memory corruption vulnerability in the Linux kernel's exFAT filesystem driver allows out-of-bounds read/write operations when handling invalid cluster numbers. This affects Linux systems using exFAT filesystems and can lead to kernel crashes or potential privilege escalation. The vulnerability is triggered by operations like truncating files to size 0.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation allowing attackers to execute arbitrary code with kernel privileges.
Likely Case
System instability, kernel crashes (denial of service), or information disclosure through memory reads.
If Mitigated
Minimal impact with proper validation preventing invalid cluster number operations.
🎯 Exploit Status
Requires local access and ability to perform filesystem operations on exFAT volumes. Triggered by specific file operations like truncate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions with commits 2193286402df2d9c53294f7a858d5e6fd7346e08 or later
Vendor Advisory: https://git.kernel.org/stable/c/2193286402df2d9c53294f7a858d5e6fd7346e08
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable exFAT module
LinuxPrevent loading of exFAT filesystem driver if not needed
echo 'blacklist exfat' >> /etc/modprobe.d/blacklist.conf
rmmod exfat
Avoid exFAT filesystems
allDo not mount or use exFAT formatted drives
🧯 If You Can't Patch
- Restrict local user access to systems with exFAT filesystems
- Implement strict filesystem monitoring and alert on suspicious truncate operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if exFAT module is loaded: uname -r && lsmod | grep exfatCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test exFAT operations with test files📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN reports mentioning exfat_clear_bitmap
- System crashes during file operations
Network Indicators:
- None - local vulnerability
SIEM Query:
source="kernel" AND ("KASAN" OR "slab-out-of-bounds" OR "exfat")🔗 References
- https://git.kernel.org/stable/c/2193286402df2d9c53294f7a858d5e6fd7346e08
- https://git.kernel.org/stable/c/64ba4b15e5c045f8b746c6da5fc9be9a6b00b61d
- https://git.kernel.org/stable/c/7c58b14b6f9cde9f69e7fa053ab73f6e013a7131
- https://git.kernel.org/stable/c/82f723b8a5adf497f9e34c702a30ca7298615654
- https://git.kernel.org/stable/c/c504167adc3248095a905fa0700a9693897cb5ed
