CVE-2022-49147 is a vulnerability identified in the Linux kernel's block device subsystem, specifically related to the function blk_alloc_ext_minor() which allocates extended minor device numbers. The issue arises because the function ida_alloc_range() returns values inclusive of the maximum value specified (min to max), and NR_EXT_DEVT, defined as (1 << MINORBITS), is a valid index that can be returned. In device_add_disk(), this returned value is used to compute the device number (devt) via MKDEV(disk->major, disk->first_minor). If disk->first_minor equals NR_EXT_DEVT, this leads to an integer overflow when calculating devt. This overflow can cause incorrect device number assignment, potentially leading to device misidentification or conflicts within the kernel's block device management. Such inconsistencies could result in system instability, incorrect device access, or denial of service conditions. The vulnerability is rooted in improper boundary checking and integer overflow in kernel device number allocation logic. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The affected versions are specific Linux kernel commits identified by their hashes, indicating this is a recent and targeted fix.

For European organizations relying heavily on Linux-based infrastructure, especially those using custom or recent kernel builds that might include the vulnerable commits, this vulnerability could lead to system reliability issues. Misallocation of device numbers can cause block devices to be incorrectly identified or accessed, potentially disrupting storage operations. This can affect critical services such as databases, file servers, and virtualized environments that depend on stable block device management. In high-availability or data-sensitive environments, such as financial institutions, healthcare providers, and industrial control systems, this could translate into service outages or data integrity risks. Although exploitation requires kernel-level access or the ability to trigger device_add_disk() with crafted parameters, the vulnerability could be leveraged by local attackers or malicious software to destabilize systems or cause denial of service. Given the kernel's central role, the impact spans confidentiality, integrity, and availability, with availability and integrity being the most directly affected.

Organizations should promptly apply the official Linux kernel patches that address this integer overflow in blk_alloc_ext_minor(). Since the vulnerability involves kernel-level code, updating to a fixed kernel version is the most effective mitigation. For environments where immediate patching is challenging, administrators should audit and restrict access to systems to trusted users only, minimizing the risk of local exploitation. Monitoring kernel logs for unusual device allocation errors or warnings related to block devices can help detect attempts to trigger the vulnerability. Additionally, implementing kernel hardening techniques such as SELinux or AppArmor policies to restrict device management operations may reduce exploitation risk. For virtualized environments, ensure hypervisor and guest kernel versions are updated to prevent cross-VM impact. Finally, maintain rigorous change management and testing procedures for kernel updates to avoid introducing regressions.