CVE-2022-50300 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix extent map use-after-free when handling missing device in read_one_chunk
Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free.
The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50300 represents a critical use-after-free condition within the Linux kernel's btrfs file system implementation that stems from improper handling of extent map structures during chunk recovery operations. This flaw specifically manifests when the btrfs file system attempts to process chunk data that resides on devices that are no longer accessible or have been removed from the system. The underlying issue occurs in the read_one_chunk function where the kernel fails to preserve the error code before proceeding with the deallocation of the extent_map structure, creating a window where subsequent access to freed memory could occur.
The technical root cause of this vulnerability aligns with CWE-416, which describes the use of freed memory condition that arises when a program continues to reference memory after it has been freed. In this specific case, the extent_map structure, which serves as a reference for chunk data mapping within btrfs, becomes prematurely deallocated while error handling code still requires access to its contents. The reference counting mechanism that typically protects against such issues fails here because the extent_map in question represents both the first and last allocation within the function context, eliminating the protective reference count that would normally prevent double-free scenarios. This particular code path is triggered when the btrfs file system encounters a chunk stored on a missing device without the proper degraded mount option being specified, creating an exceptional condition where the normal error recovery flow becomes compromised.
The operational impact of CVE-2022-50300 extends beyond simple system instability to potentially enable remote code execution or privilege escalation within affected systems. When a btrfs file system experiences a missing device scenario without proper degraded mounting, the kernel's handling of the extent_map structure can result in memory corruption that may be exploited by malicious actors. This vulnerability is particularly concerning in environments where btrfs is used as the primary file system for critical infrastructure or where automatic recovery mechanisms might be triggered during normal system operations. The potential for exploitation increases when considering that the affected kernel versions may be running in production environments where the degraded mount option is not properly configured, leaving systems vulnerable to both denial-of-service attacks and more sophisticated exploitation techniques that leverage memory corruption vulnerabilities.
Mitigation strategies for CVE-2022-50300 should prioritize immediate kernel updates to versions containing the patched implementation that properly preserves error codes before extent_map deallocation. System administrators should also implement proper configuration management to ensure that btrfs file systems are mounted with appropriate degraded options when device redundancy is expected or when device removal scenarios are possible. The fix addresses the vulnerability by ensuring that error codes are stored in temporary variables before the extent_map structure is freed, preventing the potential use-after-free scenario that could be exploited to execute arbitrary code. Security monitoring should focus on identifying systems running vulnerable kernel versions and ensuring proper btrfs mount options are configured, particularly in environments where device failures or removals are common. This vulnerability also highlights the importance of proper memory management practices in kernel space code and serves as a reminder of the critical nature of reference counting and memory lifecycle management in operating system components. The ATT&CK framework categorizes this vulnerability under privilege escalation and denial of service techniques, as exploitation could potentially allow attackers to gain elevated privileges or disrupt system availability through memory corruption.