CVE-2022-50581 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

hfs: fix OOB Read in __hfs_brec_find

Syzbot reported a OOB read bug:

==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190
fs/hfs/string.c:84
Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11
CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted
6.1.0-rc6-syzkaller-00308-g644e9524388a #0
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_strcmp+0x117/0x190 fs/hfs/string.c:84
__hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75
hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138
hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462
write_inode fs/fs-writeback.c:1440 [inline]

If the input inode of hfs_write_inode() is incorrect:
struct inode
struct hfs_inode_info
struct hfs_cat_key
struct hfs_name
u8 len # len is greater than HFS_NAMELEN(31) which is the
maximum length of an HFS filename

OOB read occurred:
hfs_write_inode()
hfs_brec_find()
__hfs_brec_find()
hfs_cat_keycmp()
hfs_strcmp() # OOB read occurred due to len is too large

Fix this by adding a Check on len in hfs_write_inode() before calling
hfs_brec_find().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8c40f2dbae603ef0bd21e87c63f54ec59fd88256
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c886c10a6eddb99923b315f42bf63f448883ef9a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 90103ccb6e60aa4efe48993d23d6a528472f2233
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4fd3a11804c8877ff11fec59c5c53f1635331e3e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 367296925c7625c3969d2a78d7a3e1dee161beb5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e9e692917c6e10a7066c7a6d092dcdc3d4e329f3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< bfc9d8f27f89717431a6aecce42ae230b437433f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8d824e69d9f3fa3121b2dda25053bae71e2460d2

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`4.9.337`	unaffected	≤ 4.9.*
`4.14.303`	unaffected	≤ 4.14.*
`4.19.270`	unaffected	≤ 4.19.*
`5.4.229`	unaffected	≤ 5.4.*
`5.10.163`	unaffected	≤ 5.10.*
`5.15.86`	unaffected	≤ 5.15.*
`6.0.16`	unaffected	≤ 6.0.*
`6.1.2`	unaffected	≤ 6.1.*
`6.2`	unaffected	≤ *

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30
https://git.kernel.org/stable/c/367296925c7625c3969d2a78d7a3e1dee161beb5
https://git.kernel.org/stable/c/4fd3a11804c8877ff11fec59c5c53f1635331e3e
https://git.kernel.org/stable/c/8c40f2dbae603ef0bd21e87c63f54ec59fd88256
https://git.kernel.org/stable/c/8d824e69d9f3fa3121b2dda25053bae71e2460d2
https://git.kernel.org/stable/c/90103ccb6e60aa4efe48993d23d6a528472f2233
https://git.kernel.org/stable/c/bfc9d8f27f89717431a6aecce42ae230b437433f
https://git.kernel.org/stable/c/c886c10a6eddb99923b315f42bf63f448883ef9a
https://git.kernel.org/stable/c/e9e692917c6e10a7066c7a6d092dcdc3d4e329f3
https://lore.kernel.org/linux-cve-announce/2025102209-CVE-2022-50581-cb39@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-50581
https://www.cve.org/CVERecord?id=CVE-2022-50581

History

Tue, 23 Dec 2025 13:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel::::::::

Thu, 23 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Vendors & Products		Linux Linux linux Kernel

Thu, 23 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025102209-CVE-2022-50581-cb39@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-50581 https://www.cve.org/CVERecord?id=CVE-2022-50581
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 22 Oct 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hfs: fix OOB Read in __hfs_brec_find Syzbot reported a OOB read bug: ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.0-rc6-syzkaller-00308-g644e9524388a #0 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 write_inode fs/fs-writeback.c:1440 [inline] If the input inode of hfs_write_inode() is incorrect: struct inode struct hfs_inode_info struct hfs_cat_key struct hfs_name u8 len # len is greater than HFS_NAMELEN(31) which is the maximum length of an HFS filename OOB read occurred: hfs_write_inode() hfs_brec_find() __hfs_brec_find() hfs_cat_keycmp() hfs_strcmp() # OOB read occurred due to len is too large Fix this by adding a Check on len in hfs_write_inode() before calling hfs_brec_find().
Title		hfs: fix OOB Read in __hfs_brec_find
References		https://git.kernel.org/stable/c/2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30 https://git.kernel.org/stable/c/367296925c7625c3969d2a78d7a3e1dee161beb5 https://git.kernel.org/stable/c/4fd3a11804c8877ff11fec59c5c53f1635331e3e https://git.kernel.org/stable/c/8c40f2dbae603ef0bd21e87c63f54ec59fd88256 https://git.kernel.org/stable/c/8d824e69d9f3fa3121b2dda25053bae71e2460d2 https://git.kernel.org/stable/c/90103ccb6e60aa4efe48993d23d6a528472f2233 https://git.kernel.org/stable/c/bfc9d8f27f89717431a6aecce42ae230b437433f https://git.kernel.org/stable/c/c886c10a6eddb99923b315f42bf63f448883ef9a https://git.kernel.org/stable/c/e9e692917c6e10a7066c7a6d092dcdc3d4e329f3

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-10-22T13:23:33.421Z

Updated: 2025-12-23T13:30:13.988Z

Reserved: 2025-10-22T13:20:23.762Z

Link: CVE-2022-50581

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-10-22T14:15:43.147

Modified: 2025-10-22T21:12:48.953

Link: CVE-2022-50581

Redhat

Severity : Moderate

Publid Date: 2025-10-22T00:00:00Z

Links: CVE-2022-50581 - Bugzilla

OpenCVE Enrichment

Updated: 2025-10-23T10:07:32Z

Weaknesses

No weakness.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

Tracking

JSON object

JSON object

JSON object

JSON object

JSON object