CVE-2022-50507

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50507
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50507.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50507
Downstream
Published
2025-10-04T15:43:55.675Z
Modified
2025-11-29T13:25:39.386468Z
Summary
fs/ntfs3: Validate data run offset
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Validate data run offset

This adds sanity checks for data run offset. We should make sure data run offset is legit before trying to unpack them, otherwise we may encounter use-after-free or some unexpected memory access behaviors.

[ 82.940342] BUG: KASAN: use-after-free in rununpack+0x2e3/0x570 [ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 [ 82.941670] [ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 [ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 82.943720] Call Trace: [ 82.944204] <TASK> [ 82.944471] dumpstacklvl+0x49/0x63 [ 82.944908] printreport.cold+0xf5/0x67b [ 82.945141] ? _waitonbit+0x106/0x120 [ 82.945750] ? rununpack+0x2e3/0x570 [ 82.946626] kasanreport+0xa7/0x120 [ 82.947046] ? rununpack+0x2e3/0x570 [ 82.947280] _asanload1+0x51/0x60 [ 82.947483] rununpack+0x2e3/0x570 [ 82.947709] ? memcpy+0x4e/0x70 [ 82.947927] ? runpack+0x7a0/0x7a0 [ 82.948158] rununpackex+0xad/0x3f0 [ 82.948399] ? mienumattr+0x14a/0x200 [ 82.948717] ? rununpack+0x570/0x570 [ 82.949072] ? nienumattrex+0x1b2/0x1c0 [ 82.949332] ? nifnametype.part.0+0xd0/0xd0 [ 82.949611] ? miread+0x262/0x2c0 [ 82.949970] ? ntfscmpnamescpu+0x125/0x180 [ 82.950249] ntfsiget5+0x632/0x1870 [ 82.950621] ? ntfsgetblockbmap+0x70/0x70 [ 82.951192] ? evict+0x223/0x280 [ 82.951525] ? iput.part.0+0x286/0x320 [ 82.951969] ntfsfillsuper+0x1321/0x1e20 [ 82.952436] ? putntfs+0x1d0/0x1d0 [ 82.952822] ? vsprintf+0x20/0x20 [ 82.953188] ? mutexunlock+0x81/0xd0 [ 82.953379] ? setblocksize+0x95/0x150 [ 82.954001] gettreebdev+0x232/0x370 [ 82.954438] ? putntfs+0x1d0/0x1d0 [ 82.954700] ntfsfsgettree+0x15/0x20 [ 82.955049] vfsgettree+0x4c/0x130 [ 82.955292] pathmount+0x645/0xfd0 [ 82.955615] ? putname+0x80/0xa0 [ 82.955955] ? finishautomount+0x2e0/0x2e0 [ 82.956310] ? kmemcachefree+0x110/0x390 [ 82.956723] ? putname+0x80/0xa0 [ 82.957023] domount+0xd6/0xf0 [ 82.957411] ? pathmount+0xfd0/0xfd0 [ 82.957638] ? _kasancheckwrite+0x14/0x20 [ 82.957948] _x64sysmount+0xca/0x110 [ 82.958310] dosyscall64+0x3b/0x90 [ 82.958719] entrySYSCALL64afterhwframe+0x63/0xcd [ 82.959341] RIP: 0033:0x7fd0d1ce948a [ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIGRAX: 00000000000000a5 [ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a [ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 [ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 [ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 [ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50507.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4534a70b7056fd4b9a1c6db5a4ce3c98546b291e
Fixed
de5e0955248ff90a2ae91e7f5c108392b52152d0
Fixed
e0455361d3068066a91fe18282b751925d7b5ee7
Fixed
9173b89c16a603d73c434b695fe2a7a13491300f
Fixed
6db620863f8528ed9a9aa5ad323b26554a17881d

Affected versions

v5.*

v5.14
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
5.15.87
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.17
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.3