CVE-2022-49179: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: block, bfq: don't move oom_bfqq Our test report a UAF: [ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] ra ---truncated---
AI Analysis
Technical Summary
CVE-2022-49179 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's block I/O layer, specifically within the BFQ (Budget Fair Queueing) I/O scheduler implementation. The vulnerability arises due to improper handling of asynchronous BFQ queue objects, leading to a scenario where a freed object is accessed again, causing memory corruption. The kernel's Kernel Address Sanitizer (KASAN) detected this UAF condition during testing, with detailed kernel stack traces showing the sequence of function calls leading to the erroneous access. The flaw is rooted in the function __bfq_put_async_bfqq and related BFQ queue management routines, where the asynchronous BFQ queue objects are not correctly managed during their lifecycle, particularly when the Out-Of-Memory (OOM) BFQ queue is moved or freed. This vulnerability affects Linux kernel versions containing the vulnerable BFQ scheduler code, as indicated by the affected commit hashes. Exploitation requires local privileges (low complexity) and no user interaction, but it can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 score of 7.8 reflects the high impact and relatively low attack complexity. While no known exploits are reported in the wild, the vulnerability's nature makes it a significant risk for systems running vulnerable Linux kernels, especially those using the BFQ scheduler for block I/O. The vulnerability could be leveraged to execute arbitrary code in kernel context, cause kernel crashes, or escalate privileges, posing a critical threat to system stability and security.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those relying on Linux-based infrastructure for critical services, including cloud providers, data centers, telecom operators, and enterprises using Linux servers. Exploitation could lead to kernel crashes (denial of service), privilege escalation, or arbitrary code execution, potentially allowing attackers to gain root access or disrupt essential services. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government, where confidentiality and integrity breaches could lead to regulatory penalties under GDPR and other frameworks. Additionally, the vulnerability could impact embedded Linux systems used in industrial control, IoT devices, and networking equipment, which are prevalent in European critical infrastructure. The requirement for local privileges limits remote exploitation but insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as proof-of-concept exploits could emerge, increasing the threat landscape.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying vendor-supplied updates or kernel patches that address this UAF vulnerability. Since the vulnerability is in the BFQ I/O scheduler, organizations not explicitly using BFQ can consider disabling it or switching to alternative I/O schedulers (e.g., CFQ, MQ-Deadline) as a temporary mitigation. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Limit local user privileges strictly and monitor for suspicious activity indicative of attempts to exploit kernel vulnerabilities. Implement strict access controls and audit logging on systems with multi-user access. For embedded or specialized devices, coordinate with hardware vendors to obtain patched firmware or kernel versions. Additionally, employ runtime protection mechanisms like SELinux or AppArmor to restrict kernel module loading and system call usage that could facilitate exploitation. Regularly review and update incident response plans to include kernel-level vulnerabilities and ensure rapid deployment of patches across the infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49179: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: block, bfq: don't move oom_bfqq Our test report a UAF: [ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] ra ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49179 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's block I/O layer, specifically within the BFQ (Budget Fair Queueing) I/O scheduler implementation. The vulnerability arises due to improper handling of asynchronous BFQ queue objects, leading to a scenario where a freed object is accessed again, causing memory corruption. The kernel's Kernel Address Sanitizer (KASAN) detected this UAF condition during testing, with detailed kernel stack traces showing the sequence of function calls leading to the erroneous access. The flaw is rooted in the function __bfq_put_async_bfqq and related BFQ queue management routines, where the asynchronous BFQ queue objects are not correctly managed during their lifecycle, particularly when the Out-Of-Memory (OOM) BFQ queue is moved or freed. This vulnerability affects Linux kernel versions containing the vulnerable BFQ scheduler code, as indicated by the affected commit hashes. Exploitation requires local privileges (low complexity) and no user interaction, but it can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 score of 7.8 reflects the high impact and relatively low attack complexity. While no known exploits are reported in the wild, the vulnerability's nature makes it a significant risk for systems running vulnerable Linux kernels, especially those using the BFQ scheduler for block I/O. The vulnerability could be leveraged to execute arbitrary code in kernel context, cause kernel crashes, or escalate privileges, posing a critical threat to system stability and security.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those relying on Linux-based infrastructure for critical services, including cloud providers, data centers, telecom operators, and enterprises using Linux servers. Exploitation could lead to kernel crashes (denial of service), privilege escalation, or arbitrary code execution, potentially allowing attackers to gain root access or disrupt essential services. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government, where confidentiality and integrity breaches could lead to regulatory penalties under GDPR and other frameworks. Additionally, the vulnerability could impact embedded Linux systems used in industrial control, IoT devices, and networking equipment, which are prevalent in European critical infrastructure. The requirement for local privileges limits remote exploitation but insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as proof-of-concept exploits could emerge, increasing the threat landscape.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying vendor-supplied updates or kernel patches that address this UAF vulnerability. Since the vulnerability is in the BFQ I/O scheduler, organizations not explicitly using BFQ can consider disabling it or switching to alternative I/O schedulers (e.g., CFQ, MQ-Deadline) as a temporary mitigation. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Limit local user privileges strictly and monitor for suspicious activity indicative of attempts to exploit kernel vulnerabilities. Implement strict access controls and audit logging on systems with multi-user access. For embedded or specialized devices, coordinate with hardware vendors to obtain patched firmware or kernel versions. Additionally, employ runtime protection mechanisms like SELinux or AppArmor to restrict kernel module loading and system call usage that could facilitate exploitation. Regularly review and update incident response plans to include kernel-level vulnerabilities and ensure rapid deployment of patches across the infrastructure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.281Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5180
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:28:18 AM
Last updated: 8/11/2025, 9:43:48 AM
Views: 18
Related Threats
CVE-2025-8952: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-8951: SQL Injection in PHPGurukul Teachers Record Management System
MediumCVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighCVE-2025-8949: Stack-based Buffer Overflow in D-Link DIR-825
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.