CVE-2022-50336
📋 TL;DR
CVE-2022-50336 is a NULL pointer dereference vulnerability in the Linux kernel's NTFS3 filesystem driver. When mounting a specially crafted malicious NTFS filesystem image, this can cause a kernel panic leading to denial of service. Systems using the NTFS3 driver (introduced in kernel 5.15) are affected.
💻 Affected Systems
- Linux kernel with NTFS3 driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical or remote console access to reboot.
Likely Case
System crash when mounting a malicious NTFS filesystem, requiring reboot to restore service.
If Mitigated
No impact if proper access controls prevent mounting untrusted filesystems.
🎯 Exploit Status
Exploitation requires ability to mount a malicious NTFS filesystem, which typically requires local user privileges or physical access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.19.12, 5.18.19, 5.17.22, 5.16.20, 5.15.63 and later
Vendor Advisory: https://git.kernel.org/stable/c/1621734cd3047f7979da1d7d5c5444d583d8b0ed
Restart Required: No
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. For custom kernels, apply the patch from the stable kernel tree. 3. No reboot required for the patch itself, but a kernel update typically requires reboot.
🔧 Temporary Workarounds
Disable NTFS3 driver
LinuxTemporarily disable the vulnerable NTFS3 driver module
echo 'blacklist ntfs3' >> /etc/modprobe.d/blacklist-ntfs3.conf
rmmod ntfs3
Use older NTFS driver
LinuxUse the legacy NTFS driver instead of NTFS3
modprobe -r ntfs3
modprobe ntfs
🧯 If You Can't Patch
- Restrict filesystem mounting privileges to trusted users only
- Implement strict access controls on /dev/loop* devices to prevent mounting untrusted images
🔍 How to Verify
Check if Vulnerable:
Check if NTFS3 module is loaded and kernel version is vulnerable: lsmod | grep ntfs3 && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should be 5.19.12, 5.18.19, 5.17.22, 5.16.20, 5.15.63 or later📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning 'NULL pointer dereference' in attr_load_runs_vcn or ni_find_attr
- System crash logs when mounting NTFS filesystems
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "BUG: kernel" OR "Oops:") AND ("attr_load_runs_vcn" OR "ni_find_attr" OR "ntfs3")