CVE-2022-49834 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free bug of ns_writer on remount

If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.

In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:

Task1 Task2 -------------------------------- ------------------------------ nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <-- use-after-free

While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].

This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/14/2026

The vulnerability described in CVE-2022-49834 represents a critical use-after-free condition affecting the nilfs2 filesystem implementation within the Linux kernel. This flaw manifests when a nilfs2 filesystem undergoes a transition from read-only to read-write mode due to metadata corruption or emergency remount operations. The issue stems from a race condition between concurrent kernel tasks where one task performs a synchronization operation while another simultaneously detaches and frees the log writer structure. The technical implementation involves the nilfs->ns_writer pointer becoming invalid during the remount process, creating a scenario where freed memory is accessed, potentially leading to system instability or privilege escalation.

The vulnerability operates through a classic race condition pattern where Task1 enters a sleeping state during a synchronization operation while Task2 concurrently executes a remount sequence that includes detaching and freeing the nilfs->ns_writer structure. The specific sequence involves nilfs_construct_segment calling nilfs_segctor_sync which sets up wait queues and schedules the task to sleep, while Task2 executes nilfs_remount which calls nilfs_attach_log_writer followed by nilfs_detach_log_writer that ultimately leads to kfree being invoked on the freed structure. When Task1 wakes up, it attempts to access the already-freed ns_writer pointer, resulting in undefined behavior that can compromise system integrity and potentially enable attackers to execute arbitrary code with kernel privileges.

This use-after-free vulnerability directly maps to CWE-416, which specifically addresses the use of freed memory conditions in software systems. The operational impact extends beyond simple system crashes to potential privilege escalation scenarios that align with ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities. The flaw affects systems running Linux kernels with nilfs2 filesystem support and can be exploited by malicious actors who have access to the system to perform filesystem operations that trigger the problematic remount sequence. The vulnerability is particularly concerning because it occurs in kernel space where memory corruption can lead to complete system compromise.

The fix implemented in this patch addresses the root cause by preventing the detachment of nilfs->ns_writer during remount operations, thereby eliminating the race condition that leads to the use-after-free scenario. This approach ensures that the log writer structure remains valid throughout the synchronization process, preventing access to freed memory. Additionally, the patch introduces proper read-only checks using superblock instances instead of relying solely on the ns_writer pointer, which provides more robust validation of filesystem state. The mitigation strategy follows established kernel security practices by avoiding premature resource deallocation in concurrent scenarios and implementing proper state validation mechanisms that prevent access to invalid memory references. This solution maintains the filesystem's integrity while preserving the intended functionality of read-only remount operations.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00190

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!