CVE-2022-49176: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bfq: fix use-after-free in bfq_dispatch_request KASAN reports a use-after-free report when doing normal scsi-mq test [69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blk_mq_run_work_fn [69832.250022] Call Trace: [69832.250541] dump_stack+0x9b/0xce [69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 [69832.252243] print_address_description.constprop.6+0x3e/0x60 [69832.253381] ? __cpuidle_text_end+0x5/0x5 [69832.254211] ? vprintk_func+0x6b/0x120 [69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 [69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 [69832.256914] kasan_report.cold.9+0x22/0x3a [69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 [69832.258755] check_memory_region+0x1c1/0x1e0 [69832.260248] bfq_dispatch_request+0x1045/0x44b0 [69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 [69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 [69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 [69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 [69832.267147] ? __switch_to+0x5f4/0xee0 [69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 [69832.269840] blk_mq_run_work_fn+0x51/0x60 [69832.278170] process_one_work+0x6d4/0xfe0 [69832.278984] worker_thread+0x91/0xc80 [69832.279726] ? __kthread_parkme+0xb0/0x110 [69832.280554] ? process_one_work+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthread_park+0x170/0x170 [69832.282849] ret_from_fork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasan_save_stack+0x19/0x40 [69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmem_cache_alloc_node+0x13f/0x460 [69832.287237] bfq_get_queue+0x3d4/0x1140 [69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 [69832.289015] bfq_init_rq+0x337/0x2d50 [69832.289749] bfq_insert_requests+0x304/0x4e10 [69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 [69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 [69832.292538] blk_flush_plug_list+0x2c5/0x480 [69832.293392] io_schedule_prepare+0xb2/0xd0 [69832.294209] io_schedule_timeout+0x13/0x80 [69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 [69832.296137] submit_bio_wait+0x103/0x1a0 [69832.296932] blkdev_issue_discard+0xe6/0x160 [69832.297794] blk_ioctl_discard+0x219/0x290 [69832.298614] blkdev_common_ioctl+0x50a/0x1750 [69832.304715] blkdev_ioctl+0x470/0x600 [69832.305474] block_ioctl+0xde/0x120 [69832.306232] vfs_ioctl+0x6c/0xc0 [69832.306877] __se_sys_ioctl+0x90/0xa0 [69832.307629] do_syscall_64+0x2d/0x40 [69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasan_save_stack+0x19/0x40 [69832.311121] kasan_set_track+0x1c/0x30 [69832.311868] kasan_set_free_info+0x1b/0x30 [69832.312699] __kasan_slab_free+0x111/0x160 [69832.313524] kmem_cache_free+0x94/0x460 [69832.314367] bfq_put_queue+0x582/0x940 [69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 [69832.317275] bfq_bfqq_expire+0xb27/0x2440 [69832.318084] bfq_dispatch_request+0x697/0x44b0 [69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 [69832.323114] blk_mq_run_work_fn+0x51/0x6 ---truncated---
AI Analysis
Technical Summary
CVE-2022-49176 is a high-severity use-after-free vulnerability identified in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler, specifically within the bfq_dispatch_request function. The vulnerability arises due to improper handling of memory objects related to request dispatching in the block multi-queue (blk-mq) subsystem. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free condition during normal SCSI multi-queue testing, indicating that a memory region was accessed after being freed, which can lead to undefined behavior including memory corruption, kernel crashes, or potential escalation of privileges. The detailed kernel stack trace shows that the issue occurs when bfq_dispatch_request attempts to access a freed bfq queue structure, leading to a read of invalid memory. This flaw is classified under CWE-416 (Use After Free), a common and dangerous memory corruption vulnerability. The CVSS 3.1 base score is 7.8, reflecting high severity with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access with low complexity and low privileges, no user interaction, and impacts confidentiality, integrity, and availability significantly. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and no public exploits are currently known. The issue was resolved by fixing the memory management in bfq_dispatch_request to prevent use-after-free conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49176 can be substantial, especially for those relying on Linux-based servers, workstations, or embedded systems that use the BFQ I/O scheduler. The vulnerability can lead to kernel crashes causing denial of service, or potentially allow local attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This is critical for sectors such as finance, healthcare, telecommunications, and government where Linux servers are prevalent. The ability to escalate privileges locally could facilitate lateral movement within networks, data exfiltration, or sabotage of critical infrastructure. Given the widespread use of Linux in cloud environments and enterprise data centers across Europe, unpatched systems could be targeted by attackers aiming to disrupt services or gain unauthorized access. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as the vulnerability is publicly disclosed and could be weaponized by threat actors.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the latest security updates from their Linux distribution vendors that address CVE-2022-49176. Since the vulnerability requires local access, organizations should also enforce strict access controls and limit user privileges to reduce the attack surface. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enable kernel lockdown features where possible. Monitoring kernel logs for anomalies related to bfq_dispatch_request or KASAN reports can help detect exploitation attempts. For environments where immediate patching is not feasible, consider disabling the BFQ scheduler or switching to alternative I/O schedulers like CFQ or MQ-Deadline as a temporary mitigation. Additionally, implement comprehensive endpoint detection and response (EDR) solutions to identify suspicious local activities. Regularly audit and restrict local user accounts and ensure that only trusted users have shell access to critical Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2022-49176: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bfq: fix use-after-free in bfq_dispatch_request KASAN reports a use-after-free report when doing normal scsi-mq test [69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blk_mq_run_work_fn [69832.250022] Call Trace: [69832.250541] dump_stack+0x9b/0xce [69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 [69832.252243] print_address_description.constprop.6+0x3e/0x60 [69832.253381] ? __cpuidle_text_end+0x5/0x5 [69832.254211] ? vprintk_func+0x6b/0x120 [69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 [69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 [69832.256914] kasan_report.cold.9+0x22/0x3a [69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 [69832.258755] check_memory_region+0x1c1/0x1e0 [69832.260248] bfq_dispatch_request+0x1045/0x44b0 [69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 [69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 [69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 [69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 [69832.267147] ? __switch_to+0x5f4/0xee0 [69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 [69832.269840] blk_mq_run_work_fn+0x51/0x60 [69832.278170] process_one_work+0x6d4/0xfe0 [69832.278984] worker_thread+0x91/0xc80 [69832.279726] ? __kthread_parkme+0xb0/0x110 [69832.280554] ? process_one_work+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthread_park+0x170/0x170 [69832.282849] ret_from_fork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasan_save_stack+0x19/0x40 [69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmem_cache_alloc_node+0x13f/0x460 [69832.287237] bfq_get_queue+0x3d4/0x1140 [69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 [69832.289015] bfq_init_rq+0x337/0x2d50 [69832.289749] bfq_insert_requests+0x304/0x4e10 [69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 [69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 [69832.292538] blk_flush_plug_list+0x2c5/0x480 [69832.293392] io_schedule_prepare+0xb2/0xd0 [69832.294209] io_schedule_timeout+0x13/0x80 [69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 [69832.296137] submit_bio_wait+0x103/0x1a0 [69832.296932] blkdev_issue_discard+0xe6/0x160 [69832.297794] blk_ioctl_discard+0x219/0x290 [69832.298614] blkdev_common_ioctl+0x50a/0x1750 [69832.304715] blkdev_ioctl+0x470/0x600 [69832.305474] block_ioctl+0xde/0x120 [69832.306232] vfs_ioctl+0x6c/0xc0 [69832.306877] __se_sys_ioctl+0x90/0xa0 [69832.307629] do_syscall_64+0x2d/0x40 [69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasan_save_stack+0x19/0x40 [69832.311121] kasan_set_track+0x1c/0x30 [69832.311868] kasan_set_free_info+0x1b/0x30 [69832.312699] __kasan_slab_free+0x111/0x160 [69832.313524] kmem_cache_free+0x94/0x460 [69832.314367] bfq_put_queue+0x582/0x940 [69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 [69832.317275] bfq_bfqq_expire+0xb27/0x2440 [69832.318084] bfq_dispatch_request+0x697/0x44b0 [69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 [69832.323114] blk_mq_run_work_fn+0x51/0x6 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49176 is a high-severity use-after-free vulnerability identified in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler, specifically within the bfq_dispatch_request function. The vulnerability arises due to improper handling of memory objects related to request dispatching in the block multi-queue (blk-mq) subsystem. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free condition during normal SCSI multi-queue testing, indicating that a memory region was accessed after being freed, which can lead to undefined behavior including memory corruption, kernel crashes, or potential escalation of privileges. The detailed kernel stack trace shows that the issue occurs when bfq_dispatch_request attempts to access a freed bfq queue structure, leading to a read of invalid memory. This flaw is classified under CWE-416 (Use After Free), a common and dangerous memory corruption vulnerability. The CVSS 3.1 base score is 7.8, reflecting high severity with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access with low complexity and low privileges, no user interaction, and impacts confidentiality, integrity, and availability significantly. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and no public exploits are currently known. The issue was resolved by fixing the memory management in bfq_dispatch_request to prevent use-after-free conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49176 can be substantial, especially for those relying on Linux-based servers, workstations, or embedded systems that use the BFQ I/O scheduler. The vulnerability can lead to kernel crashes causing denial of service, or potentially allow local attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This is critical for sectors such as finance, healthcare, telecommunications, and government where Linux servers are prevalent. The ability to escalate privileges locally could facilitate lateral movement within networks, data exfiltration, or sabotage of critical infrastructure. Given the widespread use of Linux in cloud environments and enterprise data centers across Europe, unpatched systems could be targeted by attackers aiming to disrupt services or gain unauthorized access. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as the vulnerability is publicly disclosed and could be weaponized by threat actors.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the latest security updates from their Linux distribution vendors that address CVE-2022-49176. Since the vulnerability requires local access, organizations should also enforce strict access controls and limit user privileges to reduce the attack surface. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enable kernel lockdown features where possible. Monitoring kernel logs for anomalies related to bfq_dispatch_request or KASAN reports can help detect exploitation attempts. For environments where immediate patching is not feasible, consider disabling the BFQ scheduler or switching to alternative I/O schedulers like CFQ or MQ-Deadline as a temporary mitigation. Additionally, implement comprehensive endpoint detection and response (EDR) solutions to identify suspicious local activities. Regularly audit and restrict local user accounts and ensure that only trusted users have shell access to critical Linux systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.280Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5176
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:27:57 AM
Last updated: 8/19/2025, 11:13:30 AM
Views: 19
Related Threats
CVE-2025-9150: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9149: Command Injection in Wavlink WL-NU516U1
MediumCVE-2025-55294: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in bencevans screenshot-desktop
CriticalCVE-2025-55153
LowCVE-2025-9148: SQL Injection in CodePhiliaX Chat2DB
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.