Cyber Posture

CVE-2022-49560

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0007 22.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: exfat: check if cluster num is valid Syzbot reported slab-out-of-bounds read in exfat_clear_bitmap. This was triggered by reproducer calling truncute with size 0, which causes the following trace: BUG: KASAN: slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174 Read of size 8 at addr ffff888115aa9508 by task syz-executor251/365 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174 exfat_free_cluster+0x25a/0x4a0 fs/exfat/fatent.c:181 __exfat_truncate+0x99e/0xe00 fs/exfat/file.c:217 exfat_truncate+0x11b/0x4f0 fs/exfat/file.c:243 exfat_setattr+0xa03/0xd40 fs/exfat/file.c:339 notify_change+0xb76/0xe10 fs/attr.c:336 do_truncate+0x1ea/0x2d0 fs/open.c:65 Move the is_valid_cluster() helper from fatent.c to a common header to make it reusable in other *.c files. And add is_valid_cluster() to validate if cluster number is within valid range in exfat_clear_bitmap() and exfat_set_bitmap().

Security Summary

CVE-2022-49560 is a slab-out-of-bounds read vulnerability in the Linux kernel's exFAT filesystem implementation, specifically within the exfat_clear_bitmap function in fs/exfat/balloc.c. The issue arises from a lack of validation for cluster numbers, which can be triggered by a truncate operation setting a file size to zero, as reported by Syzbot fuzzing. This leads to an out-of-bounds read of 8 bytes, detected by KASAN, during bitmap clearing in exfat_free_cluster as part of the truncate process in exfat_truncate and exfat_setattr.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L). Successful exploitation results in high-impact confidentiality loss (C:H) through potential exposure of sensitive kernel memory and high-impact availability disruption (A:H) via kernel crashes, but no integrity impact (I:N) in an unchanged security scope (S:U). The CVSS v3.1 base score is 7.1, classified under CWE-125 (Out-of-bounds Read).

Kernel patch commits referenced in advisories address the issue by introducing is_valid_cluster checks in exfat_clear_bitmap and exfat_set_bitmap to ensure cluster numbers are within valid ranges. The is_valid_cluster helper was moved from fs/exfat/fatent.c to a common header for reuse across exFAT source files. Mitigation requires updating to Linux kernel versions incorporating these stable branch commits, such as those at https://git.kernel.org/stable/c/2193286402df2d9c53294f7a858d5e6fd7346e08 and related patches.

Details

CWE(s)
CWE-125

Affected Products

linux
linux kernel
5.7 — 5.10.120 · 5.11 — 5.15.45 · 5.16 — 5.17.13

References