CVE-2022-50273 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on destination blkaddr during recovery
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=216456
loop5: detected capacity change from 0 to 131072 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): Bitmap was wrongly set, blk:5634 ------------[ cut here ]------------
WARNING: CPU: 3 PID: 1013 at fs/f2fs/segment.c:2198 RIP: 0010:update_sit_entry+0xa55/0x10b0 [f2fs]
Call Trace: <TASK> f2fs_do_replace_block+0xa98/0x1890 [f2fs]
f2fs_replace_block+0xeb/0x180 [f2fs]
recover_data+0x1a69/0x6ae0 [f2fs]
f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
f2fs_fill_super+0x4665/0x61e0 [f2fs]
mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
If we enable CONFIG_F2FS_CHECK_FS config, it will trigger a kernel panic instead of warning.
The root cause is: in fuzzed image, SIT table is inconsistent with inode mapping table, result in triggering such warning during SIT table update.
This patch introduces a new flag DATA_GENERIC_ENHANCE_UPDATE, w/ this flag, data block recovery flow can check destination blkaddr's validation in SIT table, and skip f2fs_replace_block() to avoid inconsistent status.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50273 affects the Linux kernel's F2FS (Flash-Friendly File System) implementation and represents a critical issue in the file system's recovery mechanism. This flaw manifests during the recovery process when the F2FS file system attempts to restore data blocks after a crash or unexpected shutdown. The vulnerability specifically occurs when the SIT (Segment Information Table) becomes inconsistent with the inode mapping table, leading to incorrect block address handling during data recovery operations. The issue was reported through the Linux kernel bugzilla system and demonstrates a scenario where a fuzzed file system image triggers an inconsistent state that causes kernel panic conditions.
The technical implementation of this vulnerability stems from insufficient validation during the data recovery process within the F2FS subsystem. During recovery operations, the system attempts to replace blocks using the f2fs_replace_block function, but fails to properly validate the destination block address against the SIT table before proceeding. This validation gap allows for the system to attempt operations on invalid block addresses, causing the kernel to trigger a warning message and potentially escalate to a kernel panic when the CONFIG_F2FS_CHECK_FS configuration option is enabled. The error occurs in the update_sit_entry function within segment.c at line 2198, where the system attempts to update the SIT table with incorrect block information. The call trace shows the execution path leading from the recovery data processing through block replacement functions to the final SIT table update that fails.
The operational impact of this vulnerability extends beyond simple system instability, as it can lead to complete system crashes and data corruption scenarios. When the F2FS file system encounters a corrupted or inconsistent state during recovery, particularly with block addresses that don't align with the SIT table, the system's recovery mechanism fails catastrophically. This vulnerability affects systems running Linux kernels with F2FS support and could potentially be exploited to cause denial of service conditions, especially in environments where file system recovery is critical or automated. The vulnerability particularly impacts embedded systems, storage servers, and any environment where F2FS is used as the primary file system and where unexpected shutdowns or crashes might occur, as these scenarios trigger the recovery mechanism that contains the flaw.
The fix implemented for CVE-2022-50273 introduces a new flag called DATA_GENERIC_ENHANCE_UPDATE that modifies the data block recovery flow to include proper validation of destination block addresses within the SIT table. This enhancement prevents the f2fs_replace_block function from being called when the destination block address is invalid or inconsistent with the current SIT table state. The patch specifically addresses the inconsistency between the SIT table and inode mapping table that occurs during fuzzed image processing, ensuring that recovery operations only proceed when block addresses are valid and consistent. This mitigation strategy aligns with the principle of defensive programming and follows security best practices for file system implementations. The solution prevents the kernel panic condition by implementing proper sanity checks before attempting any block replacement operations, thus maintaining system stability during recovery scenarios. The fix demonstrates a proper approach to handling file system corruption recovery by implementing validation mechanisms that prevent inconsistent state transitions, which is consistent with the CWE-129 principle of ensuring input validation and proper error handling in system components.
This vulnerability relates to several ATT&CK techniques including privilege escalation through kernel exploits and system compromise via denial of service conditions. The issue can be categorized under CWE-284 Access Control and CWE-362 Concurrency Issues in kernel space operations, as the vulnerability involves improper handling of concurrent access to shared file system data structures during recovery operations. The patch implementation represents a defensive programming approach that follows the principle of least privilege and proper resource management, ensuring that kernel operations maintain system integrity even when encountering corrupted data structures. Organizations should ensure their Linux systems are updated with patches addressing this vulnerability to prevent potential kernel panics and maintain system stability in production environments where F2FS is utilized.