CVE-2022-50056
📋 TL;DR
A null pointer dereference vulnerability in the Linux kernel's NTFS3 filesystem driver allows local attackers to crash the system or potentially escalate privileges. This affects Linux systems using the NTFS3 driver to access NTFS filesystems. The vulnerability occurs when accessing records in the $Extend directory without proper initialization.
💻 Affected Systems
- Linux kernel with NTFS3 filesystem driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise or kernel panic causing system crash and denial of service.
Likely Case
Local denial of service through kernel panic or system crash when accessing specific NTFS filesystem structures.
If Mitigated
Minimal impact with proper access controls preventing local users from accessing vulnerable NTFS mounts.
🎯 Exploit Status
Requires local access and ability to trigger the vulnerable code path through NTFS filesystem operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel stable releases containing commits 37a530bfe56ca9a0d3129598803f2794c7428aae, 8089a1bc27b41e6800590a92d17c119e9aa8ff53, c293e8abc09e6e1faa50d967bd8862b1cbd575e5
Vendor Advisory: https://git.kernel.org/stable/c/37a530bfe56ca9a0d3129598803f2794c7428aae
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable NTFS3 driver
linuxPrevent loading of the vulnerable NTFS3 filesystem driver
echo 'blacklist ntfs3' >> /etc/modprobe.d/blacklist-ntfs3.conf
update-initramfs -u
reboot
Use older NTFS driver
linuxUse the legacy NTFS driver instead of NTFS3
modprobe -r ntfs3
modprobe ntfs
🧯 If You Can't Patch
- Restrict local user access to systems with NTFS filesystems mounted
- Avoid mounting NTFS filesystems or use alternative filesystem drivers
🔍 How to Verify
Check if Vulnerable:
Check if NTFS3 module is loaded: lsmod | grep ntfs3. Check kernel version against patched releases.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and NTFS3 module loads without issues when accessing $Extend directory.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- System crash/reboot logs
- NULL pointer dereference errors in kernel logs
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "ntfs3")