{"id":"CVE-2022-50673","summary":"ext4: fix use-after-free in ext4_orphan_cleanup","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x73/0x9f\n  print_report+0x25d/0x759\n  kasan_report+0xc0/0x120\n  __asan_load8+0x99/0x140\n  __list_add_valid+0x28/0x1a0\n  ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n  __ext4_fill_super+0x48e2/0x5300 [ext4]\n  ext4_fill_super+0x19f/0x3a0 [ext4]\n  get_tree_bdev+0x27b/0x450\n  ext4_get_tree+0x19/0x30 [ext4]\n  vfs_get_tree+0x49/0x150\n  path_mount+0xaae/0x1350\n  do_mount+0xe2/0x110\n  __x64_sys_mount+0xf0/0x190\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  \u003c/TASK\u003e\n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n  ext4_orphan_cleanup\n   --- loop1: assume last_orphan is 12 ---\n    list_add(&EXT4_I(inode)-\u003ei_orphan, &EXT4_SB(sb)-\u003es_orphan)\n    ext4_truncate --\u003e return 0\n      ext4_inode_attach_jinode --\u003e return -ENOMEM\n    iput(inode) --\u003e free inode\u003c12\u003e\n   --- loop2: last_orphan is still 12 ---\n    list_add(&EXT4_I(inode)-\u003ei_orphan, &EXT4_SB(sb)-\u003es_orphan);\n    // use inode\u003c12\u003e and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately.","modified":"2026-03-20T11:47:34.858685Z","published":"2025-12-09T01:29:25.220Z","related":["ALSA-2026:2264","ALSA-2026:2378","SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50673.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50673.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50673"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2c98eb5ea249767bbc11cf4e70e91d5b0458ed13"},{"fixed":"7f801a1593cb957f73659732836b2dafbdfc7709"},{"fixed":"026a4490b5381229a30f23d073b58e8e35ee6858"},{"fixed":"7223d5e75f26352354ea2c0ccf8b579821b52adf"},{"fixed":"cf0e0817b0f925b70d101d7014ea81b7094e1159"},{"fixed":"c2bdbd4c69308835d1b6f6ba74feeccbfe113478"},{"fixed":"7908b8a541b1578cc61b4da7f19b604a931441da"},{"fixed":"a71248b1accb2b42e4980afef4fa4a27fa0e36f5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50673.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.19.270"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.229"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.87"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.18"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"fixed":"6.1.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50673.json"}}],"schema_version":"1.7.5"}