CVE-2022-49846: 
Linux Kernel vulnerability analysis and mitigation

A slab-out-of-bounds write vulnerability (CVE-2022-49846) was discovered in the Linux kernel's UDF filesystem implementation, specifically in the udffindentry() function located in fs/udf/namei.c at line 253. The vulnerability was identified by Syzbot and reported on May 1, 2025. The issue affects multiple versions of the Linux kernel, including versions from 4.15 up to 4.19.267 and from 4.20 up to 5.4.225 (NVD).

The vulnerability manifests as a slab-out-of-bounds write bug that occurs when there is a capacity change detection from 0 to 2048 in the loop0 device. The bug triggers a write of size 105 at address ffff8880123ff896, which exceeds the bounds of an allocated 256-byte region. The affected memory region belongs to the kmalloc-256 cache, and the buggy address is located 150 bytes inside of the 256-byte region [ffff8880123ff800, ffff8880123ff900). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to memory corruption in the kernel space, which could result in system crashes or potential privilege escalation. The out-of-bounds write could allow an attacker to manipulate kernel memory structures, potentially compromising system security (Wiz).

The vulnerability has been resolved in the Linux kernel through a patch that fixes the slab-out-of-bounds write bug in the udffindentry() function. Users should update their Linux kernel to a version that includes this security fix (NVD).