CVE-2022-48828 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix ia_size underflow
iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle.
Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability CVE-2022-48828 represents a critical integer underflow issue within the Linux kernel's Network File System Daemon (NFSD) implementation that affects both NFSv3 and NFSv4 protocols. This flaw arises from a fundamental type mismatch between the internal kernel representation and the external NFS protocol specifications, creating a potential security risk that could be exploited by remote attackers. The issue specifically impacts the handling of file size attributes during NFS attribute operations, where the kernel's internal loff_t data type cannot properly accommodate the full range of values that NFS clients may legitimately send.
The technical root cause stems from the mismatch between data type definitions in the Linux kernel and NFS protocol specifications. The iattr::ia_size field uses loff_t, a signed 64-bit integer type that can only represent values from -9223372036854775808 to 9223372036854775807. In contrast, NFSv3 and NFSv4 protocols define file sizes as unsigned 64-bit integers capable of representing values from 0 to 18446744073709551615. This discrepancy creates a scenario where valid NFS client requests containing file size values exceeding S64_MAX (9223372036854775807) cause the signed 64-bit kernel variable to underflow, resulting in unpredictable behavior and potential system instability. The problem manifests specifically in the decode_fattr4() function which directly assigns full u64 values to the signed ia_size field without proper validation.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and denial of service conditions within networked file systems. When an NFS client sends a file size attribute that exceeds the maximum signed 64-bit value, the underflow can cause the kernel to interpret these values as negative numbers or extremely large positive values, leading to memory corruption, invalid file operations, and potential exploitation opportunities. This vulnerability affects systems running Linux kernels with NFS server functionality, particularly those handling large file operations or serving clients that may send unusually large file size values. The issue is especially concerning in enterprise environments where NFS is commonly used for shared storage and file access across distributed systems.
Mitigation strategies for CVE-2022-48828 focus on implementing proper input validation and type conversion within the NFS server code path. The fix involves modifying the nfsd_setattr() function to detect and handle file size values that would cause underflow conditions, ensuring that values exceeding the signed 64-bit range are properly rejected or converted to appropriate kernel representations. System administrators should apply the relevant kernel patches as soon as they become available, particularly in environments where NFS services are actively used and exposed to untrusted network clients. Additional protective measures include implementing network segmentation to limit NFS access to trusted clients, monitoring for unusual file size attribute operations, and maintaining updated security patches across all NFS server implementations. This vulnerability aligns with CWE-191, which describes integer underflow conditions, and could potentially map to ATT&CK techniques involving privilege escalation through kernel vulnerabilities, emphasizing the importance of timely patch management and proper input validation in network services.