CVE-2022-50193: erofs: wake up all waiters after z_erofs_lzma_head ready
In the Linux kernel, the following vulnerability has been resolved:
erofs: wake up all waiters after z_erofs_lzma_head ready
When the user mounts the erofs second times, the decompression thread
may hung. The problem happens due to a sequence of steps like the
following:
1) Task A called z_erofs_load_lzma_config which obtain all of the node
from the z_erofs_lzma_head.
2) At this time, task B called the z_erofs_lzma_decompress and wanted to
get a node. But the z_erofs_lzma_head was empty, the Task B had to
sleep.
3) Task A release nodes and push nodes into the z_erofs_lzma_head. But
task B was still sleeping.
One example report when the hung happens:
task:kworker/u3:1 state:D stack:14384 pid: 86 ppid: 2 flags:0x00004000
Workqueue: erofs_unzipd z_erofs_decompressqueue_work
Call Trace:
<TASK>
__schedule+0x281/0x760
schedule+0x49/0xb0
z_erofs_lzma_decompress+0x4bc/0x580
? cpu_core_flags+0x10/0x10
z_erofs_decompress_pcluster+0x49b/0xba0
? __update_load_avg_se+0x2b0/0x330
? __update_load_avg_se+0x2b0/0x330
? update_load_avg+0x5f/0x690
? update_load_avg+0x5f/0x690
? set_next_entity+0xbd/0x110
? _raw_spin_unlock+0xd/0x20
z_erofs_decompress_queue.isra.0+0x2e/0x50
z_erofs_decompressqueue_work+0x30/0x60
process_one_work+0x1d3/0x3a0
worker_thread+0x45/0x3a0
? process_one_work+0x3a0/0x3a0
kthread+0xe2/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can leave EROFS decompression work stuck after a repeated mount scenario. The reported effect is a hung kernel worker, which points to availability impact rather than data theft. The provided sources do not give a CVSS score or evidence of active exploitation.
Executive priority
Treat as a targeted kernel availability risk. It is most urgent for appliances, embedded systems, containers, or boot flows relying on EROFS images. Without exploitation evidence or a severity score, handle through normal kernel patch governance unless exposure is confirmed.
Technical view
The bug is in EROFS LZMA decompression synchronization. A task can wait for an available node from z_erofs_lzma_head, while another task returns nodes without waking all waiters, leaving decompression threads sleeping in uninterruptible state.
Likely exposure
Likely limited to Linux systems using EROFS with LZMA-compressed content, especially where EROFS filesystems are mounted more than once. The bundle lists Linux kernel version ranges and stable commits, but does not provide distro package mappings.
Exploitation context
The source describes a hang sequence and kernel call trace. It does not state remote exploitability, public exploit availability, or active exploitation. KEV is false, so active exploitation should not be assumed.
Researcher notes
The public record is sparse: no CVSS, CWE, exploit report, or vendor-specific affected package list is included. Analysis should focus on EROFS LZMA use, kernel provenance, and whether the referenced stable commits are present.
Mitigation direction
Check Linux distribution advisories for CVE-2022-50193 kernel packages.
Prioritize updates on systems using EROFS or compressed read-only images.
Adopt vendor kernels containing the referenced stable EROFS fix commits.
Reduce unnecessary EROFS remount workflows until patched, where operationally feasible.
Validation and detection
Inventory kernels and identify hosts using EROFS with LZMA compression.
Check whether vendor kernel changelogs include CVE-2022-50193 or the referenced commits.
Review logs for hung erofs_unzipd or z_erofs_lzma_decompress worker traces.
Confirm patched hosts no longer show EROFS decompression hangs during approved regression tests.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50193 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.