Login Sign Up

CVE-2022-50241

7.8 HIGH
Denial of Service

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's NFSD (Network File System Daemon) that occurs during inter-server copy operations. When a client sends CLOSE before FREE_STATEID requests in a specific sequence, it can cause the kernel to free memory that's still referenced, potentially leading to system crashes or arbitrary code execution. This affects Linux systems running NFSD with inter-server copy functionality enabled.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Kernel versions with NFSD inter-server copy support (specific affected versions not explicitly stated, but patches available for stable branches)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when NFSD is running with inter-server copy functionality enabled. Many distributions may not have this enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting NFS file operations.

🟢

If Mitigated

Minimal impact if NFSD inter-server copy is disabled or systems are not exposed to untrusted networks.

🌐 Internet-Facing: MEDIUM - NFS servers exposed to internet could be targeted, but exploitation requires specific NFS operations and timing.
🏢 Internal Only: MEDIUM - Internal attackers with NFS access could potentially trigger the vulnerability, but requires specific sequence of operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires specific timing and sequence of NFS operations (CLOSE before FREE_STATEID), making reliable exploitation challenging. Requires NFS client access to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel branches via the provided git commits

Vendor Advisory: https://git.kernel.org/stable/c/019805fea91599b22dfa62ffb29c022f35abeb06

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system to load new kernel. 4. Verify NFSD service restarted properly.

🔧 Temporary Workarounds

Disable NFSD inter-server copy

linux

Disable the inter-server copy functionality in NFSD to prevent the vulnerable code path from being triggered

echo 0 > /sys/module/nfsd/parameters/nfs4_disable_idmapping
systemctl restart nfs-server

Restrict NFS access

linux

Limit NFS access to trusted clients only using firewall rules and export configurations

iptables -A INPUT -p tcp --dport 2049 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -j DROP

🧯 If You Can't Patch

  • Disable NFSD service entirely if not required
  • Implement strict network segmentation to isolate NFS servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if NFSD with inter-server copy is enabled: 'uname -r' and 'cat /proc/fs/nfsd/versions'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and check for presence of the fix in kernel source or distribution security advisory

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages in /var/log/messages or dmesg
  • NFSD error logs related to stateid operations
  • System crashes during NFS copy operations

Network Indicators:

  • Unusual sequence of NFS operations (CLOSE before FREE_STATEID)
  • Multiple failed NFS stateid operations from single client

SIEM Query:

source="kernel" AND ("panic" OR "Oops") AND ("nfsd" OR "NFS")

📊 Metadata

CVE ID: CVE-2022-50241
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.01% exploit probability (1.2th percentile)
Published: September 15, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50241, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)