CVE-2022-50755 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

udf: Avoid double brelse() in udf_rename()

syzbot reported a warning like below [1]:

VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
...
Call Trace:
<TASK>
invalidate_bh_lru+0x99/0x150
smp_call_function_many_cond+0xe2a/0x10c0
? generic_remap_file_range_prep+0x50/0x50
? __brelse+0xa0/0xa0
? __mutex_lock+0x21c/0x12d0
? smp_call_on_cpu+0x250/0x250
? rcu_read_lock_sched_held+0xb/0x60
? lock_release+0x587/0x810
? __brelse+0xa0/0xa0
? generic_remap_file_range_prep+0x50/0x50
on_each_cpu_cond_mask+0x3c/0x80
blkdev_flush_mapping+0x13a/0x2f0
blkdev_put_whole+0xd3/0xf0
blkdev_put+0x222/0x760
deactivate_locked_super+0x96/0x160
deactivate_super+0xda/0x100
cleanup_mnt+0x222/0x3d0
task_work_run+0x149/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb29/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12a/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? zap_other_threads+0x234/0x2d0
do_group_exit+0xd0/0x2a0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The cause of the issue is that brelse() is called on both ofibh.sbh
and ofibh.ebh by udf_find_entry() when it returns NULL. However,
brelse() is called by udf_rename(), too. So, b_count on buffer_head
becomes unbalanced.

This patch fixes the issue by not calling brelse() by udf_rename()
when udf_find_entry() returns NULL.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 78eba2778ae10fb2a9d450e14d26eb6f6bf1f906
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 9d2cad69547abea961fa80426d600b861de1952b
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< d6da7ec0f94f5208c848e0e94b70f54a0bd9c587
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 156d440dea97deada629bb51cb17887abd862605
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 40dba68d418237b1ae2beaa06d46a94dd946278e
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< e7a6a53c871460727be09f4414ccb29fb8697526
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 4fca09045509f5bde8fc28e68fbca38cb4bdcf2e
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< 090bf49833c51da297ec74f98ad2bf44daea9311
`231473f6ddcef9c01993e0bfe36acc6f8e425c31`	affected	< c791730f2554a9ebb8f18df9368dc27d4ebc38c2

Linux

affected

Version	Status	Constraints
`4.2`	affected	—
`0`	unaffected	< 4.2
`4.9.337`	unaffected	≤ 4.9.*
`4.14.303`	unaffected	≤ 4.14.*
`4.19.270`	unaffected	≤ 4.19.*
`5.4.229`	unaffected	≤ 5.4.*
`5.10.163`	unaffected	≤ 5.10.*
`5.15.86`	unaffected	≤ 5.15.*
`6.0.16`	unaffected	≤ 6.0.*
`6.1.2`	unaffected	≤ 6.1.*
`6.2`	unaffected	≤ *

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311
https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605
https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e
https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e
https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906
https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b
https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2
https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587
https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526
https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2022-50755-f5d8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-50755
https://www.cve.org/CVERecord?id=CVE-2022-50755

History

Thu, 25 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025122453-CVE-2022-50755-f5d8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-50755 https://www.cve.org/CVERecord?id=CVE-2022-50755
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 24 Dec 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: udf: Avoid double brelse() in udf_rename() syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: <TASK> invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL.
Title		udf: Avoid double brelse() in udf_rename()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311 https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605 https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906 https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2 https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-24T13:05:48.928Z

Updated: 2026-01-02T15:04:26.244Z

Reserved: 2025-12-24T13:02:21.544Z

Link: CVE-2022-50755

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-12-24T13:16:02.250

Modified: 2025-12-29T15:58:34.503

Link: CVE-2022-50755

Redhat

Severity : Low

Publid Date: 2025-12-24T00:00:00Z

Links: CVE-2022-50755 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object