CVE-2022-49078

High

Published: 26 February 2025

Published

26 February 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output buffer or can't proceed with reading an offset for following match. In some extreme corner cases when compressed data is suitably corrupted, UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial may lead to read out of bound problem during decoding. lz4 upstream has fixed it [2] and this issue has been disscussed here [3] before. current decompression routine was ported from lz4 v1.8.3, bumping lib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we'd better fix it first. [1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/ [2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad# [3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/

Security Summary

CVE-2022-49078 is a vulnerability in the Linux kernel's LZ4 decompression implementation, specifically in the LZ4_decompress_safe_partial function used for partial decoding. In extreme corner cases with suitably corrupted compressed data, the function can trigger a read out of bounds, leading to a Use After Free condition (CWE-416). This issue stems from the kernel's lib/lz4 code, which was ported from LZ4 v1.8.3, and was identified via KASAN reporting.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation involves providing malformed compressed data to the LZ4_decompress_safe_partial routine, potentially resulting in out-of-bounds reads and subsequent UAF, which could enable arbitrary code execution, data corruption, or denial of service.

Mitigation is available through patches applied to Linux kernel stable trees, including commits such as 467d5e200ab4486b744fe1776154a43d1aa22d4b, 6adc01a7aa37445dafe8846faa0610a86029b253, 73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3, 9fb8bc6cfc58773ce95414e11c9ccc8fc6ac4927, and e64dbe97c05c769525cbca099ddbd22485630235. An upstream fix exists in the LZ4 library at commit c5d6f8a8be3927c0bec91bcc58667a6cfad244ad, though kernel maintainers opted for a targeted fix prior to a full update to LZ4 v1.9+.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

4.20 — 5.4.189 · 5.5 — 5.10.111 · 5.11 — 5.15.34

References

https://git.kernel.org/stable/c/467d5e200ab4486b744fe1776154a43d1aa22d4b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6adc01a7aa37445dafe8846faa0610a86029b253
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9fb8bc6cfc58773ce95414e11c9ccc8fc6ac4927
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e64dbe97c05c769525cbca099ddbd22485630235
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eafc0a02391b7b36617b36c97c4b5d6832cf5e24
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67