CVE-2022-49063 is a high-severity use-after-free vulnerability in the Linux kernel affecting the ice network driver, specifically in the handling of IRQ (interrupt request) CPU rmap structures related to the aRFS (accelerated Receive Flow Steering) feature. The vulnerability arises because the function free_irq_cpu_rmap() is called after (devm_)free_irq(), causing it to operate on IRQ descriptors that have already been freed. This improper ordering leads to a use-after-free condition, which is a type of memory corruption where the kernel attempts to access memory that has been released back to the system. The issue was identified through kernel address sanitizer (KASAN) reports triggered by continuous integration testing bots, showing a BUG report with a stack trace pointing to free_irq_cpu_rmap() and related ice driver functions such as ice_remove_arfs and ice_rebuild_arfs. The root cause is that the rmap creation and freeing functions were not symmetrical with the request/free_irq() calls, being performed on device probe/remove/resume instead of on network interface up/down events. This mismatch allows for scenarios, such as device resets, where the rmap is freed prematurely before a new allocation, leading to the use-after-free. The fix involves aligning the lifecycle of the rmap with IRQ request/free calls and ensuring that IRQ affinity notifiers are only cleared when aRFS is disabled, preventing manual interference with CPU rmap sets. The vulnerability impacts Linux kernel versions containing the affected ice driver code, and it has a CVSS 3.1 score of 7.8, indicating high severity with potential for local privilege escalation or denial of service due to corrupted kernel memory. Exploitation requires local privileges but no user interaction, and the vulnerability affects confidentiality, integrity, and availability of the system. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk especially to environments running Linux servers with Intel Ethernet controllers using the ice driver, common in data centers, cloud infrastructure, and enterprise networks. Successful exploitation could allow an attacker with local access to cause kernel crashes (denial of service) or potentially escalate privileges by corrupting kernel memory, undermining system integrity and confidentiality. This is particularly critical for sectors relying on high availability and secure data processing such as finance, healthcare, telecommunications, and government institutions. The vulnerability could disrupt critical services and lead to data breaches or system downtime. Given the widespread use of Linux in European IT infrastructure, especially in cloud and virtualization platforms, the impact could be broad if not mitigated promptly.

European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue is in the ice network driver, organizations should audit their systems to identify usage of Intel Ethernet adapters relying on this driver. Network administrators should coordinate kernel upgrades during maintenance windows to minimize disruption. Additionally, limiting local access to trusted users and enforcing strict access controls can reduce exploitation risk. For environments where immediate patching is not feasible, disabling aRFS or the ice driver temporarily may mitigate the risk, though this could impact network performance. Monitoring kernel logs for BUG reports related to free_irq_cpu_rmap and employing kernel address sanitizer tools in testing environments can help detect attempts to exploit this vulnerability. Finally, organizations should ensure robust incident response plans are in place to quickly address potential exploitation attempts.