CVE-2022-48846 is a vulnerability identified in the Linux kernel's block layer, specifically related to the handling of request queue quality of service (rq qos) structures. The issue arises from a change in kernel code where the function responsible for releasing rq qos structures, rq_qos_exit(), was moved from blk_cleanup_queue() to del_gendisk(). This change inadvertently caused a memory leak because some request queues may not be associated with a disk device, such as un-present SCSI logical unit numbers (LUNs) or NVMe admin queues. As a result, these queues would not trigger del_gendisk(), leaving rq qos structures unreleased and causing memory to be leaked. The vulnerability was fixed by restoring the call to rq_qos_exit() within blk_cleanup_queue(), ensuring that rq qos structures are properly released regardless of whether the queue has an associated disk. Notably, Linux kernel version 5.18 and later are not affected by this vulnerability because the initialization and cleanup of rq qos structures were moved into the disk allocation and release handlers, preventing this issue. The vulnerability does not have any known exploits in the wild as of the publication date. The affected versions are those containing the specific commit 8e141f9eb803, which introduced the problematic change. This vulnerability primarily impacts the kernel's memory management related to block device queues and could lead to resource exhaustion over time if exploited or triggered repeatedly.

For European organizations, the impact of CVE-2022-48846 is primarily related to system stability and availability. Since the vulnerability causes a memory leak in the Linux kernel's block layer, systems running affected kernel versions could experience degraded performance or eventual crashes due to exhaustion of kernel memory resources. This can affect servers, storage appliances, and any infrastructure relying on Linux for block device management, including cloud environments, data centers, and embedded systems. Organizations with critical infrastructure or services that depend on high availability and reliability may face operational disruptions if the vulnerability is triggered repeatedly or under heavy I/O workloads. Although there is no indication that this vulnerability can be exploited for privilege escalation or remote code execution, the denial of service through resource exhaustion could still have significant operational consequences. European entities in sectors such as finance, telecommunications, healthcare, and government, which often rely on Linux-based systems, may be particularly sensitive to such availability issues. Additionally, the lack of known exploits suggests that the threat is currently low, but unpatched systems remain at risk of stability problems.

To mitigate CVE-2022-48846, European organizations should: 1) Identify and inventory Linux systems running kernel versions prior to 5.18 that include the problematic commit (8e141f9eb803). 2) Apply the official kernel patches that restore the rq_qos_exit() call in blk_cleanup_queue(), or upgrade to Linux kernel version 5.18 or later, where the issue is resolved by design. 3) For systems where immediate patching or upgrading is not feasible, implement monitoring of kernel memory usage and block device queue metrics to detect abnormal memory consumption patterns indicative of this leak. 4) Limit exposure by restricting access to systems running vulnerable kernels, especially those handling un-present SCSI LUNs or NVMe admin queues, which are more likely to trigger the leak. 5) Engage with Linux distribution vendors for backported patches if using long-term support kernels that do not yet include the fix. 6) Incorporate this vulnerability into regular vulnerability management and patching cycles to ensure timely remediation. These steps go beyond generic advice by focusing on kernel version identification, targeted patching, and proactive monitoring specific to the nature of this memory leak.