CVE-2022-50313

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50313
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50313.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50313
Downstream
Published
2025-09-15T14:46:08.357Z
Modified
2025-11-28T02:35:18.774142Z
Summary
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
Details

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix order >= MAXORDER warning due to crafted negative isize

As syzbot reported [1], the root cause is that isize field is a signed type, and negative isize is also less than EROFS_BLKSIZ. As a consequence, it's handled as fast symlink unexpectedly.

Let's fall back to the generic path to deal with such unusual i_size.

[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50313.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
431339ba90423a038914c6032bfd71f0ba7ef2f2
Fixed
17a0cdbd7b0cf0fc0d7ca4187a67f8f1c18c291f
Fixed
0ab621fcdff1a58ff4de51a8590fa92a0ecd34be
Fixed
acc2f40b980c61a9178b72cdedd150b829064997
Fixed
b6c8330f5b0f22149957a2e4977fd0f01a9db7cd
Fixed
6235fb899b25fd287d5e42635ff82196395708cc
Fixed
1dd73601a1cba37a0ed5f89a8662c90191df5873

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.19.0
Fixed
5.4.289
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.233
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.82
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.19.17
Type
ECOSYSTEM
Events
Introduced
5.20.0
Fixed
6.0.3