CVE-2022-49078

Summary

CVE-2022-49078 is a vulnerability affecting the Linux kernel's LZ4 decompression routine. In certain cases where compressed data is corrupted, a use-after-free (UAF) issue can occur during decoding. This can lead to a read out of bound problem. The upstream lz4 project has already fixed this issue, but updating the lib/lz4 to version 1.9.+ is a significant effort. KASAN reported this vulnerability, and it was previously discussed on the lore.kernel.org forum. [ The Linux kernel's lz4 decompression routine contains a vulnerability, CVE-2022-49078. In specific scenarios where compressed data is maliciously corrupted, a use-after-free (UAF) issue emerges during decoding, leading to a read out of bound problem. KASAN reported this vulnerability, and it was noted on the lore.kernel.org forum prior to its resolution by the upstream lz4 project. Although adopting the latest lz4 version (1.9.+) is necessary, the required updates present a considerable undertaking. [ Linux kernel's lz4 decompression routine (CVE-2022-49078) is vulnerable to a read out of bound problem due to a use-after-free (UAF) issue. The vulnerability arises when compressed data is intentionally corrupted in specific scenarios. KASAN reported this issue, and discussions regarding its resolution were held on the lore.kernel.org forum. While upgrading to the latest lz4 version (1.9.+) is essential, the required updates pose a substantial challenge. [ The Linux kernel's lz4 decompression routine, identified by CVE-2022-49078, experiences a read out of bound problem. This vulnerability occurs due to a use-after-free (UAF) issue, which is triggered when compressed data is maliciously corrupted in specific cases. KASAN brought this issue to the attention of the community through the lore.kernel.org forum, and the upstream lz4 project has since resolved it. However, the necessary updates to adopt the latest lz4 version (1.9.+) present a significant undertaking. [ CVE-2022-49078 refers to a vulnerability in the Linux kernel's lz4 decompression routine. In specific instances where compressed data is corrupted, a use-after-free (UAF) issue can occur, resulting in a read out of bound problem. KASAN revealed this vulnerability, and it was previously discussed on the lore.kernel.org forum. To mitigate this issue, updating to the latest lz4 version (1.9.+) is required, although the process presents a considerable challenge.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.