CVE-2022-49270: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dm: fix use-after-free in dm_cleanup_zoned_dev() dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing: blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()-> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free() Otherwise, RCU callback may be executed first and dm_cleanup_zoned_dev() will touch free'd memory: BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681 CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1f/0x150 ? dm_cleanup_zoned_dev+0x33/0xd0 kasan_report.cold+0x7f/0x11b ? dm_cleanup_zoned_dev+0x33/0xd0 dm_cleanup_zoned_dev+0x33/0xd0 __dm_destroy+0x26a/0x400 ? dm_blk_ioctl+0x230/0x230 ? up_write+0xd8/0x270 dev_remove+0x156/0x1d0 ctl_ioctl+0x269/0x530 ? table_clear+0x140/0x140 ? lock_release+0xb2/0x750 ? remove_all+0x40/0x40 ? rcu_read_lock_sched_held+0x12/0x70 ? lock_downgrade+0x3c0/0x3c0 ? rcu_read_lock_sched_held+0x12/0x70 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27
AI Analysis
Technical Summary
CVE-2022-49270 is a high-severity use-after-free vulnerability in the Linux kernel's device mapper (dm) subsystem, specifically within the dm_cleanup_zoned_dev() function. The flaw arises because dm_cleanup_zoned_dev() improperly handles the lifecycle of a queue object. The function must be called before blk_cleanup_disk() initiates its cleanup sequence, which includes blk_cleanup_queue(), kobject_put(), blk_release_queue(), and eventually kmem_cache_free() through an RCU (Read-Copy-Update) callback. If the order is incorrect, the RCU callback may execute first, freeing the memory that dm_cleanup_zoned_dev() subsequently accesses, leading to a use-after-free condition. This can cause kernel memory corruption, crashes, or potentially arbitrary code execution in kernel context. The vulnerability was identified through Kernel Address Sanitizer (KASAN) reports showing invalid memory reads during dmsetup operations. The affected component, device mapper, is widely used for managing logical volumes, RAID, and storage virtualization in Linux environments. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk due to its kernel-level impact and the critical role of device mapper in storage management.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially those relying on Linux-based servers and infrastructure for critical operations, including cloud providers, data centers, and enterprises using logical volume management or storage virtualization. Exploitation could lead to kernel crashes causing denial of service, data corruption, or privilege escalation enabling attackers to gain full control over affected systems. This could disrupt business continuity, compromise sensitive data, and impact service availability. Given the widespread use of Linux in European public sector, financial institutions, and technology companies, the vulnerability could have cascading effects on critical infrastructure and services. The requirement for local privileges limits remote exploitation but insider threats or attackers who gain initial access could leverage this flaw to escalate privileges and deepen their foothold.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that correct the order of cleanup calls in the device mapper subsystem to prevent use-after-free conditions. Until patches are deployed, organizations should restrict access to systems running vulnerable Linux kernel versions by enforcing strict access controls and monitoring for suspicious local activity involving dmsetup or device mapper operations. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Additionally, implement robust host-based intrusion detection systems (HIDS) to alert on anomalous kernel-level behavior. Regularly audit and update Linux kernel versions to the latest stable releases, and consider isolating critical storage management functions in hardened or containerized environments to limit impact. Finally, maintain comprehensive backups and incident response plans to recover quickly from potential exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49270: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dm: fix use-after-free in dm_cleanup_zoned_dev() dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing: blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()-> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free() Otherwise, RCU callback may be executed first and dm_cleanup_zoned_dev() will touch free'd memory: BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681 CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1f/0x150 ? dm_cleanup_zoned_dev+0x33/0xd0 kasan_report.cold+0x7f/0x11b ? dm_cleanup_zoned_dev+0x33/0xd0 dm_cleanup_zoned_dev+0x33/0xd0 __dm_destroy+0x26a/0x400 ? dm_blk_ioctl+0x230/0x230 ? up_write+0xd8/0x270 dev_remove+0x156/0x1d0 ctl_ioctl+0x269/0x530 ? table_clear+0x140/0x140 ? lock_release+0xb2/0x750 ? remove_all+0x40/0x40 ? rcu_read_lock_sched_held+0x12/0x70 ? lock_downgrade+0x3c0/0x3c0 ? rcu_read_lock_sched_held+0x12/0x70 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27
AI-Powered Analysis
Technical Analysis
CVE-2022-49270 is a high-severity use-after-free vulnerability in the Linux kernel's device mapper (dm) subsystem, specifically within the dm_cleanup_zoned_dev() function. The flaw arises because dm_cleanup_zoned_dev() improperly handles the lifecycle of a queue object. The function must be called before blk_cleanup_disk() initiates its cleanup sequence, which includes blk_cleanup_queue(), kobject_put(), blk_release_queue(), and eventually kmem_cache_free() through an RCU (Read-Copy-Update) callback. If the order is incorrect, the RCU callback may execute first, freeing the memory that dm_cleanup_zoned_dev() subsequently accesses, leading to a use-after-free condition. This can cause kernel memory corruption, crashes, or potentially arbitrary code execution in kernel context. The vulnerability was identified through Kernel Address Sanitizer (KASAN) reports showing invalid memory reads during dmsetup operations. The affected component, device mapper, is widely used for managing logical volumes, RAID, and storage virtualization in Linux environments. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk due to its kernel-level impact and the critical role of device mapper in storage management.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially those relying on Linux-based servers and infrastructure for critical operations, including cloud providers, data centers, and enterprises using logical volume management or storage virtualization. Exploitation could lead to kernel crashes causing denial of service, data corruption, or privilege escalation enabling attackers to gain full control over affected systems. This could disrupt business continuity, compromise sensitive data, and impact service availability. Given the widespread use of Linux in European public sector, financial institutions, and technology companies, the vulnerability could have cascading effects on critical infrastructure and services. The requirement for local privileges limits remote exploitation but insider threats or attackers who gain initial access could leverage this flaw to escalate privileges and deepen their foothold.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that correct the order of cleanup calls in the device mapper subsystem to prevent use-after-free conditions. Until patches are deployed, organizations should restrict access to systems running vulnerable Linux kernel versions by enforcing strict access controls and monitoring for suspicious local activity involving dmsetup or device mapper operations. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Additionally, implement robust host-based intrusion detection systems (HIDS) to alert on anomalous kernel-level behavior. Regularly audit and update Linux kernel versions to the latest stable releases, and consider isolating critical storage management functions in hardened or containerized environments to limit impact. Finally, maintain comprehensive backups and incident response plans to recover quickly from potential exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.297Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe54d2
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:40:44 AM
Last updated: 8/11/2025, 5:53:53 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.