Bug 2373686 (CVE-2022-50205)

Summary: CVE-2022-50205 kernel: Linux kernel: Denial of Service in ext2 filesystem via corrupted inode counts
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's ext2 filesystem. A local attacker could exploit this vulnerability by providing a specially crafted or corrupted filesystem with invalid inode counts. This could lead to system crashes, resulting in a Denial of Service (DoS) for the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-06-18 12:13:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext2: Add more validity checks for inode counts

Add checks verifying number of inodes stored in the superblock matches
the number computed from number of inodes per group. Also verify we have
at least one block worth of inodes per group. This prevents crashes on
corrupted filesystems.
Comment 1 Avinash Hanwate 2025-06-18 17:10:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061841-CVE-2022-50205-4197@gregkh/T