Bug 2395243 (CVE-2022-50300)

Summary: CVE-2022-50300 kernel: Linux kernel: Denial of Service in btrfs due to use-after-free vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's btrfs filesystem component. A local user could exploit this use-after-free vulnerability by mounting a btrfs filesystem where a chunk is stored on a missing device without the 'degraded mount' option. This can lead to a system crash, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-15 15:02:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix extent map use-after-free when handling missing device in read_one_chunk

Store the error code before freeing the extent_map. Though it's
reference counted structure, in that function it's the first and last
allocation so this would lead to a potential use-after-free.

The error can happen eg. when chunk is stored on a missing device and
the degraded mount option is missing.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721
Comment 1 Keith Grant 2025-09-15 18:04:18 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091558-CVE-2022-50300-203c@gregkh/T