2395243 – (CVE-2022-50300) CVE-2022-50300 kernel: btrfs: fix extent map use-after-free when handling missing device in read_one_chunk

Bug 2395243 (CVE-2022-50300) - CVE-2022-50300 kernel: btrfs: fix extent map use-after-free when handling missing device in read_one_chunk

Summary: CVE-2022-50300 kernel: btrfs: fix extent map use-after-free when handling mis...

Keywords:
Status:	NEW
Alias:	CVE-2022-50300
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-15 15:02 UTC by OSIDB Bzimport
Modified:	2025-09-15 18:06 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:02:42 UTC

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix extent map use-after-free when handling missing device in read_one_chunk

Store the error code before freeing the extent_map. Though it's
reference counted structure, in that function it's the first and last
allocation so this would lead to a potential use-after-free.

The error can happen eg. when chunk is stored on a missing device and
the degraded mount option is missing.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721

Comment 1 Keith Grant 2025-09-15 18:04:18 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091558-CVE-2022-50300-203c@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.