Description
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
References (6)
Core 6
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.kernel.org/show_bug.cgi?id=214655
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9bf3d20331295b1ecb81f4ed9ef358c51699a050
Exploit, Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2022/03/17/2
Exploit, Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2022/03/17/1
Mailing List, Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.3
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220419-0003/
Scores
CVSS v3
5.5
EPSS
0.0022
EPSS Percentile
44.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-416
Status
published
Products (9)
linux/linux_kernel
< 5.15.3
netapp/h300e_firmware
netapp/h300s_firmware
netapp/h410c_firmware
netapp/h410s_firmware
netapp/h500e_firmware
netapp/h500s_firmware
netapp/h700e_firmware
netapp/h700s_firmware
Published
Mar 18, 2022
Tracked Since
Feb 18, 2026