CVE-2022-50092

MEDIUM EPSS 9.9%
Published Jun 18, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jun 18, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dm thin: fix use-after-free crash in dm_sm_register_threshold_callback Fault inject on pool metadata device reports: BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80 Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950 CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xeb/0x3f4 kasan_report.cold+0xe6/0x147 dm_pool_register_metadata_threshold+0x40/0x80 pool_ctr+0xa0a/0x1150 dm_table_add_target+0x2c8/0x640 table_load+0x1fd/0x430 ctl_ioctl+0x2c4/0x5a0 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb3/0xd0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This can be easily reproduced using: echo offline > /sys/block/sda/device/state dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10 dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0" If a metadata commit fails, the transaction will be aborted and the metadata space maps will be destroyed. If a DM table reload then happens for this failed thin-pool, a use-after-free will occur in dm_sm_register_threshold_callback (called from dm_pool_register_metadata_threshold). Fix this by in dm_pool_register_metadata_threshold() by returning the -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr() with a new error message: "Error registering metadata threshold".

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
9.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥3.10  –  <5.4.211
linuxlinux_kernel*≥5.5  –  <5.10.137
linuxlinux_kernel*≥5.11  –  <5.15.61
linuxlinux_kernel*≥5.16  –  <5.18.18
linuxlinux_kernel*≥5.19  –  <5.19.2

References 6

  • git.kernel.org https://git.kernel.org/stable/c/05cef0999b3208b5a6ede1bfac855139e4de55ef
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1a199fa9217d28511ff88529238fd9980ea64cf3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3534e5a5ed2997ca1b00f44a0378a075bd05e8a3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e2cf705155a1514be3c96ea664a9cd356998ee7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f83131a3071a0b61a4d7dca70f95adb3ffad920e
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/05cef0999b3208b5a6ede1bfac855139e4de55ef
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1a199fa9217d28511ff88529238fd9980ea64cf3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3534e5a5ed2997ca1b00f44a0378a075bd05e8a3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e2cf705155a1514be3c96ea664a9cd356998ee7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f83131a3071a0b61a4d7dca70f95adb3ffad920e
    Patch