CVE-2022-49912 [Medium] | Information Disclosure in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ulist leaks in error paths of qgroup self tests In the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests, if we fail to add the tree ref, remove the extent item or remove the extent ref, we are returning from the test function without freeing the "old_roots" ulist that was allocated by the previous calls to btrfs_find_all_roots(). Fix that by calling ulist_free() before returning.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-02-25	0.03%	0.05%	+0.02%
2	2025-11-13	0.10%	0.03%	-0.07%
3	2025-07-16	—	0.10%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-02-25

0.03%

0.05%

+0.02%

2025-11-13

0.10%

0.03%

-0.07%

2025-07-16

—

0.10%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2022-49912

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-49912 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-49912
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2022-49912
`suse`	medium	CVE-2022-49912 severity moderate: SUSE including 26 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 248 product×package rows across 49 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Linux Enterprise High Availability Extension 15 SP7, … (49 product lines)): Known Not Affected 248.	https://www.suse.com/security/cve/CVE-2022-49912/
`ubuntu`	medium	CVE-2022-49912 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 152, ignored 148, not-affected 101, needed 4, needs-triage 1.	https://ubuntu.com/security/CVE-2022-49912

Affected software / configurations for CVE-2022-49912

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 4.2, < 4.9.333	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.10, < 4.14.299	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.265	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.224	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.154	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.78	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.0.8	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.1	cpe:2.3:o:linux:linux_kernel:6.1:rc1::::::
linux	linux_kernel	6.1	cpe:2.3:o:linux:linux_kernel:6.1:rc2::::::
linux	linux_kernel	6.1	cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::

References for CVE-2022-49912

URL	Tags
https://git.kernel.org/stable/c/0a0dead4ad1a2e2a9bdf133ef45111d7c8daef84	Patch
https://git.kernel.org/stable/c/203204798831c35d855ecc6417d98267d2d2184b	Patch
https://git.kernel.org/stable/c/3f58283d83a588ff5da62fc150de19e798ed2ec2	Patch
https://git.kernel.org/stable/c/5d1a47ebf84540e40b5b43fc21aef0d6c0f627d9	Patch
https://git.kernel.org/stable/c/d37de92b38932d40e4a251e876cc388f9aee5f42	Patch
https://git.kernel.org/stable/c/d81370396025cf63a7a1b5f8bb25a3479203b2ca	Patch
https://git.kernel.org/stable/c/da7003434bcab0ae9aba3f2c003e734cae093326	Patch
https://git.kernel.org/stable/c/f46ea5fa3320dca4fe0c0926b49a5f14cb85de62	Patch

URL

CVE-2022-49912 | btrfs: fix ulist leaks in error paths of qgroup self tests

Exploit prediction scoring system (EPSS) score for CVE-2022-49912

Common vulnerability scoring system (CVSS) metrics for CVE-2022-49912

Weakness enumeration for CVE-2022-49912

OS Trackers for CVE-2022-49912

Affected software / configurations for CVE-2022-49912

References for CVE-2022-49912