LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49738: f2fs: fix to do sanity check on i_extra_isize in is_alive()

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_extra_isize in is_alive() syzbot found a f2fs bug: BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline] BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline] BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline] BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52 CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 data_blkaddr fs/f2fs/f2fs.h:2891 [inline] is_alive fs/f2fs/gc.c:1117 [inline] gc_data_segment fs/f2fs/gc.c:1520 [inline] do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831 f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410 f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652 writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870 wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044 wb_do_writeback fs/fs-writeback.c:2187 [inline] wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The root cause is that we forgot to do sanity check on .i_extra_isize in below path, result in accessing invalid address later, fix it. - gc_data_segment - is_alive - data_blkaddr - offset_in_addr

HighCVSS 7.1Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2022-49738 is a Linux kernel F2FS filesystem bug that can read outside valid memory during garbage collection. A local low-privileged user could potentially cause sensitive memory disclosure or a system availability impact on affected kernels using F2FS.

Executive priority

Prioritize patching where Linux systems use F2FS or host untrusted local users. This is not a remotely exploitable internet-facing issue based on the supplied evidence, but confidentiality and availability impacts justify timely remediation.

Technical view

The flaw is a missing sanity check for inode i_extra_isize in F2FS is_alive(), reached through gc_data_segment and data_blkaddr. The reported failure is a KASAN slab out-of-bounds read. CVSS 3.1 is 7.1 with local attack vector, low privileges, high confidentiality impact, and high availability impact.

Likely exposure

Exposure is most relevant for Linux systems running affected kernels where F2FS is enabled or mounted. The bundle lists Linux kernel versions including 3.8 through pre-fixed stable lines as affected, but exact distribution package exposure requires vendor mapping.

Exploitation context

CISA KEV status is false in the supplied bundle. The source describes syzbot discovery and kernel fixes, but does not cite active exploitation, public exploit code, or real-world attacks. Treat exploitation evidence as incomplete, not confirmed.

Researcher notes

The root cause is unchecked i_extra_isize leading to invalid address access in F2FS garbage collection. Affected-version data in the bundle appears broad and commit-oriented, so validate against kernel stable commits and downstream vendor backports before declaring systems vulnerable.

Mitigation direction

  • Update to a vendor kernel containing the listed stable F2FS fixes.
  • Check distribution advisories for exact package versions and backport status.
  • Prioritize systems that mount or allow local access to F2FS filesystems.
  • Apply normal local-user hardening while patch rollout is pending.

Validation and detection

  • Inventory running Linux kernel versions across servers, endpoints, and appliances.
  • Identify systems with F2FS support enabled or F2FS filesystems mounted.
  • Map kernels to vendor advisories and the listed stable commits.
  • Confirm patched systems rebooted into the fixed kernel.
  • Review vulnerability scanner findings for distribution-specific backports.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-125: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-49738 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.1CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H1.85.2CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.1High
CVSS 3.1 vector shape for CVE-2022-49738Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4, 98e4da8ca301e062d79ae168c67e56f3c3de3ce4unaffected
LinuxLinux3.8, 0, 5.4.232, 5.10.168, 5.15.93, 6.1.11, 6.2affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-125 · source CWE mapping

Out-of-bounds Read

Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.