CVE-2022-49058

cifs: potential buffer overflow in handling symlinks

Description

In the Linux kernel, the following vulnerability has been resolved: cifs: potential buffer overflow in handling symlinks Smatch printed a warning: arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error: __memcpy() 'dctx->buf' too small (16 vs u32max) It's caused because Smatch marks 'link_len' as untrusted since it comes from sscanf(). Add a check to ensure that 'link_len' is not larger than the size of the 'link_str' buffer.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/3e582749e742e662a8e9bb37cffac62dccaaa1e2 patch
https://git.kernel.org/stable/c/1316c28569a80ab3596eeab05bf5e01991e7e739 patch
https://git.kernel.org/stable/c/eb5f51756944735ac70cd8bb38637cc202e29c91 patch
https://git.kernel.org/stable/c/22d658c6c5affed10c8907e67160cef0b6c92186 patch
https://git.kernel.org/stable/c/4e166a41180be2f1e66bbb6d46448e80a9a5ec05 patch
https://git.kernel.org/stable/c/9901b07ba42b39266b34a888e48d7306fd707bee patch
https://git.kernel.org/stable/c/515e7ba11ef043d6febe69389949c8ef5f25e9d0 patch
https://git.kernel.org/stable/c/64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304 patch

Frequently Asked Questions

What is the severity of CVE-2022-49058?
CVE-2022-49058 has been scored as a high severity vulnerability.
How to fix CVE-2022-49058?
To fix CVE-2022-49058, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-49058 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-49058 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-49058?
CVE-2022-49058 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.