Bug 2396114 (CVE-2022-50367) - CVE-2022-50367 kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy
Summary: CVE-2022-50367 kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy
Keywords:
Status: NEW
Alias: CVE-2022-50367
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-17 15:02 UTC by OSIDB Bzimport
Modified: 2025-12-04 12:45 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:19409 0 None None None 2025-11-03 02:27:12 UTC
Red Hat Product Errata RHSA-2025:19886 0 None None None 2025-11-06 08:55:19 UTC
Red Hat Product Errata RHSA-2025:19931 0 None None None 2025-11-10 01:17:45 UTC
Red Hat Product Errata RHSA-2025:19932 0 None None None 2025-11-10 00:59:18 UTC
Red Hat Product Errata RHSA-2025:21051 0 None None None 2025-11-12 00:31:26 UTC
Red Hat Product Errata RHSA-2025:21083 0 None None None 2025-11-12 05:14:40 UTC
Red Hat Product Errata RHSA-2025:21084 0 None None None 2025-11-12 05:16:58 UTC
Red Hat Product Errata RHSA-2025:21091 0 None None None 2025-11-12 08:08:57 UTC
Red Hat Product Errata RHSA-2025:21112 0 None None None 2025-11-12 11:25:18 UTC
Red Hat Product Errata RHSA-2025:21128 0 None None None 2025-11-12 13:48:52 UTC
Red Hat Product Errata RHSA-2025:21136 0 None None None 2025-11-12 15:05:23 UTC
Red Hat Product Errata RHSA-2025:22752 0 None None None 2025-12-04 12:45:53 UTC

Description OSIDB Bzimport 2025-09-17 15:02:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

fs: fix UAF/GPF bug in nilfs_mdt_destroy

In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).

Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)
Comment 1 Keith Grant 2025-09-17 17:57:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091716-CVE-2022-50367-651c@gregkh/T
Comment 3 errata-xmlrpc 2025-11-03 02:27:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:19409 https://access.redhat.com/errata/RHSA-2025:19409
Comment 8 errata-xmlrpc 2025-11-06 08:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:19886 https://access.redhat.com/errata/RHSA-2025:19886
Comment 9 errata-xmlrpc 2025-11-10 00:59:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:19932 https://access.redhat.com/errata/RHSA-2025:19932
Comment 10 errata-xmlrpc 2025-11-10 01:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:19931 https://access.redhat.com/errata/RHSA-2025:19931
Comment 11 errata-xmlrpc 2025-11-12 00:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:21051 https://access.redhat.com/errata/RHSA-2025:21051
Comment 12 errata-xmlrpc 2025-11-12 05:14:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:21083 https://access.redhat.com/errata/RHSA-2025:21083
Comment 13 errata-xmlrpc 2025-11-12 05:16:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:21084 https://access.redhat.com/errata/RHSA-2025:21084
Comment 14 errata-xmlrpc 2025-11-12 08:08:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:21091 https://access.redhat.com/errata/RHSA-2025:21091
Comment 15 errata-xmlrpc 2025-11-12 11:25:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21112 https://access.redhat.com/errata/RHSA-2025:21112
Comment 16 errata-xmlrpc 2025-11-12 13:48:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:21128 https://access.redhat.com/errata/RHSA-2025:21128
Comment 17 errata-xmlrpc 2025-11-12 15:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:21136 https://access.redhat.com/errata/RHSA-2025:21136
Comment 18 errata-xmlrpc 2025-12-04 12:45:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:22752 https://access.redhat.com/errata/RHSA-2025:22752
Note You need to log in before you can comment on or make changes to this bug.