In the Linux kernel, the following vulnerability has been resolved:
erofs/zmap.c: Fix incorrect offset calculation
Effective offset to add to length was being incorrectly calculated,
which resulted in iomap->length being set to 0, triggering a WARN_ON
in iomap_iter_done().
Fix that, and describe it in comments.
This was reported as a crash by syzbot under an issue about a warning
encountered in iomap_iter_done(), but unrelated to erofs.
C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000
Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02
Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6
Security readout for executives and security teams
Plain-English summary
CVE-2022-49747 is a Linux kernel EROFS filesystem bug where an incorrect offset calculation can trigger a kernel warning and crash condition. The public record ties it to syzbot testing, not real-world attacks. Business urgency depends on whether exposed Linux systems use or process EROFS filesystems.
Executive priority
Treat as a targeted kernel stability risk, not a confirmed emergency. Patch through normal kernel maintenance, faster for systems handling untrusted filesystem images or using EROFS in production.
Technical view
The bug is in erofs/zmap.c. An effective offset was calculated incorrectly, causing iomap->length to become 0 and triggering WARN_ON in iomap_iter_done(). The source bundle references stable kernel commits that resolve the calculation and add explanatory comments. CVSS and CWE data are not provided.
Likely exposure
Exposure appears limited to Linux kernels in the affected version set that have EROFS support and can mount or process EROFS filesystem images. The bundle lists Linux kernel versions including 5.15, 5.15.92, 6.1.10, and 6.2, but does not provide full range semantics.
Exploitation context
No active exploitation is supported by the provided sources, and the CVE is not marked KEV. The issue was reported by syzbot as a crash related to a warning path. Public reproducer and kernel configuration links exist, so researchers can validate defensively without inferring active attacks.
Researcher notes
The public evidence describes a logic bug found by syzbot, with a C reproducer and kernel config linked. Severity, CVSS, CWE, and real-world exploit evidence are absent. Analysis should stay close to EROFS offset handling and the referenced stable commits.
Mitigation direction
Check your Linux distributor or kernel vendor guidance for fixed packages.
Update to a kernel build containing the referenced stable fixes.
Prioritize systems that mount or ingest EROFS images from less trusted sources.
If EROFS is unnecessary, review vendor-supported options to reduce or disable its use.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Confirm whether EROFS support is enabled and operationally used.
Check kernel package changelogs for the referenced stable commit identifiers.
Review kernel logs for iomap_iter_done WARN_ON or EROFS crash signatures.
Validate remediation in staging before deploying kernel updates broadly.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49747 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Mar 27, 2025, 16:42 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.