LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49747: erofs/zmap.c: Fix incorrect offset calculation

In the Linux kernel, the following vulnerability has been resolved: erofs/zmap.c: Fix incorrect offset calculation Effective offset to add to length was being incorrectly calculated, which resulted in iomap->length being set to 0, triggering a WARN_ON in iomap_iter_done(). Fix that, and describe it in comments. This was reported as a crash by syzbot under an issue about a warning encountered in iomap_iter_done(), but unrelated to erofs. C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000 Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02 Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-49747 is a Linux kernel EROFS filesystem bug where an incorrect offset calculation can trigger a kernel warning and crash condition. The public record ties it to syzbot testing, not real-world attacks. Business urgency depends on whether exposed Linux systems use or process EROFS filesystems.

Executive priority

Treat as a targeted kernel stability risk, not a confirmed emergency. Patch through normal kernel maintenance, faster for systems handling untrusted filesystem images or using EROFS in production.

Technical view

The bug is in erofs/zmap.c. An effective offset was calculated incorrectly, causing iomap->length to become 0 and triggering WARN_ON in iomap_iter_done(). The source bundle references stable kernel commits that resolve the calculation and add explanatory comments. CVSS and CWE data are not provided.

Likely exposure

Exposure appears limited to Linux kernels in the affected version set that have EROFS support and can mount or process EROFS filesystem images. The bundle lists Linux kernel versions including 5.15, 5.15.92, 6.1.10, and 6.2, but does not provide full range semantics.

Exploitation context

No active exploitation is supported by the provided sources, and the CVE is not marked KEV. The issue was reported by syzbot as a crash related to a warning path. Public reproducer and kernel configuration links exist, so researchers can validate defensively without inferring active attacks.

Researcher notes

The public evidence describes a logic bug found by syzbot, with a C reproducer and kernel config linked. Severity, CVSS, CWE, and real-world exploit evidence are absent. Analysis should stay close to EROFS offset handling and the referenced stable commits.

Mitigation direction

  • Check your Linux distributor or kernel vendor guidance for fixed packages.
  • Update to a kernel build containing the referenced stable fixes.
  • Prioritize systems that mount or ingest EROFS images from less trusted sources.
  • If EROFS is unnecessary, review vendor-supported options to reduce or disable its use.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Confirm whether EROFS support is enabled and operationally used.
  • Check kernel package changelogs for the referenced stable commit identifiers.
  • Review kernel logs for iomap_iter_done WARN_ON or EROFS crash signatures.
  • Validate remediation in staging before deploying kernel updates broadly.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49747 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxeadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350, eadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350, eadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350unaffected
LinuxLinux5.15, 0, 5.15.92, 6.1.10, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.