Use After Free Affecting kernel-default-livepatch package, versions <5.14.21-150400.24.167.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES154-KERNELDEFAULTLIVEPATCH-10724234
- published12 Jul 2025
- disclosed9 Jul 2025
Introduced: 9 Jul 2025
CVE-2022-49834 (opens in a new tab)How to fix?
Upgrade SLES:15.4 kernel-default-livepatch to version 5.14.21-150400.24.167.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-default-livepatch package and not the kernel-default-livepatch package as distributed by SLES.
See How to fix? for SLES:15.4 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of ns_writer on remount
If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.
In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:
Task1 Task2
nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <-- use-after-free
While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].
This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.
References
- https://www.suse.com/security/cve/CVE-2022-49834.html
- https://bugzilla.suse.com/1242695
- https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c
- https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d
- https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd
- https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca
- https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182
- https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b
- https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749
- https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da