CVE-2022-49120 is a vulnerability identified in the Linux kernel, specifically within the SCSI subsystem driver pm8001, which handles communication with certain SAS (Serial Attached SCSI) controllers. The issue arises in the function pm8001_send_abort_all(), which is responsible for aborting all outstanding SCSI tasks. The vulnerability is due to a task leak caused by improper handling of failure conditions: when either pm8001_tag_alloc() or pm8001_mpi_build_cmd() fails, the allocated SAS task is not freed properly. This results in a resource leak, specifically a memory leak of the SAS task structure. While the vulnerability does not directly lead to code execution or privilege escalation, the leak of allocated tasks can degrade system stability and reliability over time, potentially leading to denial of service (DoS) conditions due to resource exhaustion. The flaw is rooted in error handling paths where allocated resources are not cleaned up, which is a common source of memory leaks in kernel drivers. The vulnerability affects Linux kernel versions containing the vulnerable commit identified by the hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The issue has been resolved by ensuring that the allocated SAS task is freed if the allocation or command build functions fail. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local kernel-level code execution to trigger the leak, as it involves internal driver functions handling SCSI commands. User interaction is not required, but the attacker would need the ability to interact with the affected SCSI subsystem, which typically requires elevated privileges or specific hardware access.

For European organizations, the impact of CVE-2022-49120 primarily concerns system stability and availability. Organizations relying on Linux servers or infrastructure that use SAS storage controllers supported by the pm8001 driver could experience degraded performance or system crashes if the vulnerability is exploited repeatedly, leading to resource exhaustion. This could affect data centers, cloud service providers, and enterprises with critical storage infrastructure running Linux. Although the vulnerability does not directly compromise data confidentiality or integrity, denial of service conditions can disrupt business operations, cause downtime, and impact service availability. In sectors such as finance, healthcare, and government, where Linux-based storage systems are common, such disruptions could have significant operational and regulatory consequences. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent potential future abuse. The impact is more pronounced in environments with high storage I/O loads or where the pm8001 driver is actively used, as repeated task leaks could accumulate faster. Additionally, organizations with strict uptime requirements or those operating critical storage arrays should prioritize patching to maintain system reliability.

To mitigate CVE-2022-49120, European organizations should: 1) Apply the official Linux kernel patches that fix the task leak in the pm8001 driver as soon as they become available from trusted Linux distribution vendors or the Linux kernel mainline. 2) Identify systems using the pm8001 driver by checking kernel module usage and hardware inventory to prioritize patch deployment. 3) Monitor system logs and kernel messages for signs of resource leaks or abnormal SCSI subsystem errors that might indicate exploitation attempts or instability. 4) Implement proactive resource monitoring and alerting on storage controllers to detect early signs of resource exhaustion. 5) Restrict access to systems with SAS controllers to trusted administrators and limit local privilege escalation vectors to reduce the risk of exploitation. 6) For environments where immediate patching is not feasible, consider temporary workarounds such as limiting workload intensity on affected storage controllers to reduce the likelihood of triggering the leak. 7) Maintain up-to-date backups and disaster recovery plans to mitigate potential downtime impacts. These steps go beyond generic advice by focusing on hardware-specific driver identification, monitoring, and access control tailored to the nature of this vulnerability.