Use After Free Affecting kernel-syms package, versions <5.3.18-150300.59.211.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES153-KERNELSYMS-10746274
- published15 Jul 2025
- disclosed14 Jul 2025
Introduced: 14 Jul 2025
CVE-2022-50092 (opens in a new tab)How to fix?
Upgrade SLES:15.3 kernel-syms to version 5.3.18-150300.59.211.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-syms package and not the kernel-syms package as distributed by SLES.
See How to fix? for SLES:15.3 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
dm thin: fix use-after-free crash in dm_sm_register_threshold_callback
Fault inject on pool metadata device reports: BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80 Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950
CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xeb/0x3f4 kasan_report.cold+0xe6/0x147 dm_pool_register_metadata_threshold+0x40/0x80 pool_ctr+0xa0a/0x1150 dm_table_add_target+0x2c8/0x640 table_load+0x1fd/0x430 ctl_ioctl+0x2c4/0x5a0 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb3/0xd0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
This can be easily reproduced using: echo offline > /sys/block/sda/device/state dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10 dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0"
If a metadata commit fails, the transaction will be aborted and the metadata space maps will be destroyed. If a DM table reload then happens for this failed thin-pool, a use-after-free will occur in dm_sm_register_threshold_callback (called from dm_pool_register_metadata_threshold).
Fix this by in dm_pool_register_metadata_threshold() by returning the -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr() with a new error message: "Error registering metadata threshold".
References
- https://www.suse.com/security/cve/CVE-2022-50092.html
- https://bugzilla.suse.com/1244848
- https://git.kernel.org/stable/c/05cef0999b3208b5a6ede1bfac855139e4de55ef
- https://git.kernel.org/stable/c/1a199fa9217d28511ff88529238fd9980ea64cf3
- https://git.kernel.org/stable/c/3534e5a5ed2997ca1b00f44a0378a075bd05e8a3
- https://git.kernel.org/stable/c/5e2cf705155a1514be3c96ea664a9cd356998ee7
- https://git.kernel.org/stable/c/e4dbe24f4bfd8377e7ba79fdcdb7c4d6eb1c6790
- https://git.kernel.org/stable/c/f83131a3071a0b61a4d7dca70f95adb3ffad920e