CVE-2022-49707: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49707 is a NULL pointer dereference vulnerability in the Linux kernel's ext4 filesystem component, discovered in 2022. The vulnerability occurs when resizing a corrupt ext4 image where the resize_inode feature has been cleared without running e2fsck. The issue affects Linux kernel versions from 4.9.320 through 5.18.6 (NVD).

The vulnerability is triggered when the resizeinode feature is cleared and the filesystem is converted to metabg mode in ext4resizefs(), but the es->sreservedgdtblocks is not reduced to zero. This leads to mistakenly calling reservebackupgdb() with an uninitialized resizeinode when adding new group descriptors. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-476 (NULL Pointer Dereference) (NVD).

When exploited, this vulnerability results in a NULL pointer dereference that can cause a kernel crash, leading to a denial of service condition. The vulnerability requires local access and can affect system availability but does not impact confidentiality or integrity (NVD).

The fix involves adding a check in ext4resizebegin() to ensure that es->sreservedgdtblocks is zero when the resizeinode feature is disabled. This patch has been implemented in the Linux kernel. Users should update to a patched version of the kernel to mitigate this vulnerability (Kernel Patch).