{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49276", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.298Z", "datePublished": "2025-02-26T01:56:20.559Z", "dateUpdated": "2025-02-26T01:56:20.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T01:56:20.559Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_scan_medium\n\nIf an error is returned in jffs2_scan_eraseblock() and some memory\nhas been added to the jffs2_summary *s, we can observe the following\nkmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88812b889c40 (size 64):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.\n 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................\n backtrace:\n [<ffffffffae93a3a3>] __kmalloc+0x613/0x910\n [<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0\n [<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794\n [<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267\n [<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30\n [<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0\n [<ffffffffb0315d64>] mtd_get_sb+0x254/0x400\n [<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0\n [<ffffffffb0316478>] get_tree_mtd+0x498/0x840\n [<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30\n [<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0\n [<ffffffffaea7a98f>] path_mount+0x50f/0x1e50\n [<ffffffffaea7c3d7>] do_mount+0x107/0x130\n [<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0\n [<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160\n [<ffffffffb10142f5>] do_syscall_64+0x45/0x70\nunreferenced object 0xffff888114b54840 (size 32):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............\n 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90\n [<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794\n [...]\nunreferenced object 0xffff888114b57280 (size 32):\n comm \"mount\", pid 692, jiffies 4294838393 (age 34.357s)\n hex dump (first 32 bytes):\n 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............\n 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90\n [<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794\n [...]\nunreferenced object 0xffff8881116cd510 (size 16):\n comm \"mount\", pid 692, jiffies 4294838395 (age 34.355s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90\n [<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794\n [...]\n--------------------------------------------\n\nTherefore, we should call jffs2_sum_reset_collected(s) on exit to\nrelease the memory added in s. In addition, a new tag \"out_buf\" is\nadded to prevent the NULL pointer reference caused by s being NULL.\n(thanks to Zhang Yi for this analysis)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jffs2/scan.c"], "versions": [{"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "9b0c69182f09b70779817af4dcf89780955d5c4c", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "b36bccb04e14cc0c1e2d0e92d477fe220314fad6", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "e711913463af916d777a4873068f415f1fe2ad33", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "455f4a23490bfcbedc8e5c245c463a59b19e5ddd", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "51dbb5e36d59f62e34d462b801c1068248149cfe", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "52ba0ab4f0a606f02a6163493378989faa1ec10a", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "b26bbc0c122cad038831f226a4cb4de702225e16", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "82462324bf35b6b553400af1c1aa265069cee28f", "status": "affected", "versionType": "git"}, {"version": "e631ddba588783edd521c5a89f7b2902772fb691", "lessThan": "9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jffs2/scan.c"], "versions": [{"version": "2.6.15", "status": "affected"}, {"version": "0", "lessThan": "2.6.15", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.311", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.276", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.238", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.189", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.110", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.33", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.19", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.2", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9b0c69182f09b70779817af4dcf89780955d5c4c"}, {"url": "https://git.kernel.org/stable/c/b36bccb04e14cc0c1e2d0e92d477fe220314fad6"}, {"url": "https://git.kernel.org/stable/c/e711913463af916d777a4873068f415f1fe2ad33"}, {"url": "https://git.kernel.org/stable/c/455f4a23490bfcbedc8e5c245c463a59b19e5ddd"}, {"url": "https://git.kernel.org/stable/c/51dbb5e36d59f62e34d462b801c1068248149cfe"}, {"url": "https://git.kernel.org/stable/c/52ba0ab4f0a606f02a6163493378989faa1ec10a"}, {"url": "https://git.kernel.org/stable/c/b26bbc0c122cad038831f226a4cb4de702225e16"}, {"url": "https://git.kernel.org/stable/c/82462324bf35b6b553400af1c1aa265069cee28f"}, {"url": "https://git.kernel.org/stable/c/9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df"}], "title": "jffs2: fix memory leak in jffs2_scan_medium", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "73A8CFF5-6110-4547-8A39-17A10B5D347A", "versionEndExcluding": "4.9.311", "versionStartIncluding": "2.6.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D9B028C-6313-47F9-94B7-5F8122345E49", "versionEndExcluding": "4.14.276", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA28527A-11D3-41D2-9C4C-ECAC0D6A4A2D", "versionEndExcluding": "4.19.238", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CB6E8F5-C2B1-46F3-A807-0F6104AC340F", "versionEndExcluding": "5.4.189", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D3BFD0-D3F3-4018-957C-96CCBF357D79", "versionEndExcluding": "5.10.110", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5", "versionEndExcluding": "5.15.33", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_scan_medium\n\nIf an error is returned in jffs2_scan_eraseblock() and some memory\nhas been added to the jffs2_summary *s, we can observe the following\nkmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88812b889c40 (size 64):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.\n 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................\n backtrace:\n [<ffffffffae93a3a3>] __kmalloc+0x613/0x910\n [<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0\n [<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794\n [<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267\n [<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30\n [<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0\n [<ffffffffb0315d64>] mtd_get_sb+0x254/0x400\n [<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0\n [<ffffffffb0316478>] get_tree_mtd+0x498/0x840\n [<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30\n [<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0\n [<ffffffffaea7a98f>] path_mount+0x50f/0x1e50\n [<ffffffffaea7c3d7>] do_mount+0x107/0x130\n [<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0\n [<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160\n [<ffffffffb10142f5>] do_syscall_64+0x45/0x70\nunreferenced object 0xffff888114b54840 (size 32):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............\n 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90\n [<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794\n [...]\nunreferenced object 0xffff888114b57280 (size 32):\n comm \"mount\", pid 692, jiffies 4294838393 (age 34.357s)\n hex dump (first 32 bytes):\n 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............\n 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90\n [<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794\n [...]\nunreferenced object 0xffff8881116cd510 (size 16):\n comm \"mount\", pid 692, jiffies 4294838395 (age 34.355s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.\n backtrace:\n [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n [<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90\n [<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794\n [...]\n--------------------------------------------\n\nTherefore, we should call jffs2_sum_reset_collected(s) on exit to\nrelease the memory added in s. In addition, a new tag \"out_buf\" is\nadded to prevent the NULL pointer reference caused by s being NULL.\n(thanks to Zhang Yi for this analysis)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jffs2: corregir p\u00e9rdida de memoria en jffs2_scan_medium Si se devuelve un error en jffs2_scan_eraseblock() y se ha a\u00f1adido algo de memoria a los *s de jffs2_summary, podemos observar el siguiente informe de kmemleak: -------------------------------------------- unreferenced object 0xffff88812b889c40 (size 64): comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P. 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................ seguimiento inverso:[] __kmalloc+0x613/0x910 [] jffs2_sum_add_dirent_mem+0x5c/0xa0 [] jffs2_scan_medium.cold+0x36e5/0x4794 [] jffs2_do_mount_fs.cold+0xa7/0x2267 [] jffs2_do_fill_super+0x383/0xc30 [] jffs2_fill_super+0x2ea/0x4c0 [] mtd_get_sb+0x254/0x400 [] mtd_get_sb_by_nr+0x4f/0xd0 [] get_tree_mtd+0x498/0x840 [] jffs2_get_tree+0x25/0x30 [] vfs_get_tree+0x8d/0x2e0 [] path_mount+0x50f/0x1e50 [] do_mount+0x107/0x130 [] __se_sys_mount+0x1c5/0x2f0 [] __x64_sys_mount+0xc7/0x160 [] do_syscall_64+0x45/0x70 objeto sin referencia 0xffff888114b54840 (tama\u00f1o 32): comm \"mount\", pid 692, jiffies 4294838325 (antig\u00fcedad 34.288s) volcado hexadecimal (primeros 32 bytes): c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u.............. 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk. backtrace: [] kmem_cache_alloc_trace+0x584/0x880 [] jffs2_sum_add_inode_mem+0x54/0x90 [] jffs2_scan_medium.cold+0x4481/0x4794 [...] objeto sin referencia 0xffff888114b57280 (tama\u00f1o 32): comm \"mount\", pid 692, jiffies 4294838393 (edad 34.357s) volcado hexadecimal (primeros 32 bytes): 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l............. 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk. seguimiento inverso: [] kmem_cache_alloc_trace+0x584/0x880 [] jffs2_sum_add_xattr_mem+0x54/0x90 [] jffs2_scan_medium.cold+0x298c/0x4794 [...] objeto sin referencia 0xffff8881116cd510 (tama\u00f1o 16): comm \"mount\", pid 692, jiffies 4294838395 (edad 34.355s) volcado hexadecimal (primeros 16 bytes): 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k. backtrace: [] kmem_cache_alloc_trace+0x584/0x880 [] jffs2_sum_add_xref_mem+0x54/0x90 [] jffs2_scan_medium.cold+0x3a20/0x4794 [...] -------------------------------------------- Por lo tanto, debemos llamar a jffs2_sum_reset_collected(s) al salir para liberar la memoria agregada en s. Adem\u00e1s, se agrega una nueva etiqueta \"out_buf\" para evitar la referencia de puntero NULL causada por s que es NULL. (gracias a Zhang Yi por este an\u00e1lisis)"}], "id": "CVE-2022-49276", "lastModified": "2025-04-14T17:08:00.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:04.470", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/455f4a23490bfcbedc8e5c245c463a59b19e5ddd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51dbb5e36d59f62e34d462b801c1068248149cfe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/52ba0ab4f0a606f02a6163493378989faa1ec10a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82462324bf35b6b553400af1c1aa265069cee28f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b0c69182f09b70779817af4dcf89780955d5c4c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b26bbc0c122cad038831f226a4cb4de702225e16"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b36bccb04e14cc0c1e2d0e92d477fe220314fad6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e711913463af916d777a4873068f415f1fe2ad33"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: jffs2: fix memory leak in jffs2_scan_medium", "id": "2348044", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348044"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\njffs2: fix memory leak in jffs2_scan_medium\nIf an error is returned in jffs2_scan_eraseblock() and some memory\nhas been added to the jffs2_summary *s, we can observe the following\nkmemleak report:\n--------------------------------------------\nunreferenced object 0xffff88812b889c40 (size 64):\ncomm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\nhex dump (first 32 bytes):\n40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.\n00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................\nbacktrace:\n[<ffffffffae93a3a3>] __kmalloc+0x613/0x910\n[<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0\n[<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794\n[<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267\n[<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30\n[<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0\n[<ffffffffb0315d64>] mtd_get_sb+0x254/0x400\n[<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0\n[<ffffffffb0316478>] get_tree_mtd+0x498/0x840\n[<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30\n[<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0\n[<ffffffffaea7a98f>] path_mount+0x50f/0x1e50\n[<ffffffffaea7c3d7>] do_mount+0x107/0x130\n[<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0\n[<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160\n[<ffffffffb10142f5>] do_syscall_64+0x45/0x70\nunreferenced object 0xffff888114b54840 (size 32):\ncomm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\nhex dump (first 32 bytes):\nc0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............\n00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.\nbacktrace:\n[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n[<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90\n[<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794\n[...]\nunreferenced object 0xffff888114b57280 (size 32):\ncomm \"mount\", pid 692, jiffies 4294838393 (age 34.357s)\nhex dump (first 32 bytes):\n10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............\n00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.\nbacktrace:\n[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n[<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90\n[<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794\n[...]\nunreferenced object 0xffff8881116cd510 (size 16):\ncomm \"mount\", pid 692, jiffies 4294838395 (age 34.355s)\nhex dump (first 16 bytes):\n00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.\nbacktrace:\n[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880\n[<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90\n[<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794\n[...]\n--------------------------------------------\nTherefore, we should call jffs2_sum_reset_collected(s) on exit to\nrelease the memory added in s. In addition, a new tag \"out_buf\" is\nadded to prevent the NULL pointer reference caused by s being NULL.\n(thanks to Zhang Yi for this analysis)"], "name": "CVE-2022-49276", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49276\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49276\nhttps://lore.kernel.org/linux-cve-announce/2025022631-CVE-2022-49276-d58d@gregkh/T"], "threat_severity": "Moderate"}