CVE-2022-49297: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nbd: fix io hung while disconnecting device In our tests, "qemu-nbd" triggers a io hung: INFO: task qemu-nbd:11445 blocked for more than 368 seconds. Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000 Call Trace: <TASK> __schedule+0x480/0x1050 ? _raw_spin_lock_irqsave+0x3e/0xb0 schedule+0x9c/0x1b0 blk_mq_freeze_queue_wait+0x9d/0xf0 ? ipi_rseq+0x70/0x70 blk_mq_freeze_queue+0x2b/0x40 nbd_add_socket+0x6b/0x270 [nbd] nbd_ioctl+0x383/0x510 [nbd] blkdev_ioctl+0x18e/0x3e0 __x64_sys_ioctl+0xac/0x120 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd8ff706577 RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577 RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0 R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0 "qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following message was found: block nbd0: Send disconnect failed -32 Which indicate that something is wrong with the server. Then, "qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear requests after commit 2516ab1543fd("nbd: only clear the queue on device teardown"). And in the meantime, request can't complete through timeout because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which means such request will never be completed in this situation. Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't complete multiple times, switch back to call nbd_clear_sock() in nbd_clear_sock_ioctl(), so that inflight requests can be cleared.
AI Analysis
Technical Summary
CVE-2022-49297 is a vulnerability identified in the Linux kernel's Network Block Device (nbd) subsystem, specifically related to the handling of input/output (IO) operations during device disconnection. The issue manifests as an IO hang when disconnecting an nbd device, as demonstrated by the 'qemu-nbd' utility triggering a task block for an extended period (over 368 seconds). The root cause lies in the improper clearing of inflight requests during the disconnection process. After a recent kernel commit (2516ab1543fd), the ioctl command 'NBD_CLEAR_SOCK' no longer clears requests correctly, causing requests to remain uncompleted indefinitely. This is because the nbd_xmit_timeout() function returns 'BLK_EH_RESET_TIMER', which prevents request completion by resetting the timeout timer repeatedly. The vulnerability leads to a hung IO state where the nbd device cannot properly disconnect, and requests remain stuck, potentially causing resource exhaustion or denial of service. The fix involves reintroducing the clearing of inflight requests by calling nbd_clear_sock() in the ioctl handler, ensuring that requests do not remain indefinitely inflight and that the device can disconnect cleanly. This vulnerability affects Linux kernel versions containing the specified commit hashes and impacts systems using nbd devices, commonly employed in virtualization and storage scenarios.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments utilizing Linux-based virtualization or storage solutions that rely on the nbd subsystem, such as QEMU/KVM virtual machines or networked block storage setups. The IO hang can lead to denial of service conditions on affected hosts, causing virtual machines or storage services to become unresponsive or degraded. This can disrupt critical business operations, especially in data centers, cloud service providers, and enterprises with heavy reliance on Linux virtualization infrastructure. Additionally, prolonged IO hangs may lead to resource exhaustion, impacting system stability and availability. While this vulnerability does not directly enable privilege escalation or data leakage, the denial of service impact can have significant operational consequences. European organizations with large-scale Linux deployments, particularly in sectors like finance, telecommunications, and public services, may face increased risk due to their dependence on stable virtualization and storage services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49297 as soon as they become available, ensuring the nbd subsystem properly clears inflight requests during device disconnection. 2) Audit and monitor systems using nbd devices, particularly those running QEMU/KVM, for signs of IO hangs or blocked tasks related to nbd operations. 3) Implement proactive monitoring of kernel logs for hung task warnings and IO timeout messages to detect early signs of exploitation or impact. 4) Where possible, limit the use of nbd devices to trusted environments and restrict access to the nbd control interfaces to authorized users only, reducing the risk of triggering the vulnerability. 5) Consider deploying fallback or redundancy mechanisms for critical virtual machines and storage services to minimize downtime in case of IO hangs. 6) Engage with Linux distribution vendors and maintain an update schedule that prioritizes kernel security patches for production systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49297: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nbd: fix io hung while disconnecting device In our tests, "qemu-nbd" triggers a io hung: INFO: task qemu-nbd:11445 blocked for more than 368 seconds. Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000 Call Trace: <TASK> __schedule+0x480/0x1050 ? _raw_spin_lock_irqsave+0x3e/0xb0 schedule+0x9c/0x1b0 blk_mq_freeze_queue_wait+0x9d/0xf0 ? ipi_rseq+0x70/0x70 blk_mq_freeze_queue+0x2b/0x40 nbd_add_socket+0x6b/0x270 [nbd] nbd_ioctl+0x383/0x510 [nbd] blkdev_ioctl+0x18e/0x3e0 __x64_sys_ioctl+0xac/0x120 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd8ff706577 RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577 RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0 R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0 "qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following message was found: block nbd0: Send disconnect failed -32 Which indicate that something is wrong with the server. Then, "qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear requests after commit 2516ab1543fd("nbd: only clear the queue on device teardown"). And in the meantime, request can't complete through timeout because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which means such request will never be completed in this situation. Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't complete multiple times, switch back to call nbd_clear_sock() in nbd_clear_sock_ioctl(), so that inflight requests can be cleared.
AI-Powered Analysis
Technical Analysis
CVE-2022-49297 is a vulnerability identified in the Linux kernel's Network Block Device (nbd) subsystem, specifically related to the handling of input/output (IO) operations during device disconnection. The issue manifests as an IO hang when disconnecting an nbd device, as demonstrated by the 'qemu-nbd' utility triggering a task block for an extended period (over 368 seconds). The root cause lies in the improper clearing of inflight requests during the disconnection process. After a recent kernel commit (2516ab1543fd), the ioctl command 'NBD_CLEAR_SOCK' no longer clears requests correctly, causing requests to remain uncompleted indefinitely. This is because the nbd_xmit_timeout() function returns 'BLK_EH_RESET_TIMER', which prevents request completion by resetting the timeout timer repeatedly. The vulnerability leads to a hung IO state where the nbd device cannot properly disconnect, and requests remain stuck, potentially causing resource exhaustion or denial of service. The fix involves reintroducing the clearing of inflight requests by calling nbd_clear_sock() in the ioctl handler, ensuring that requests do not remain indefinitely inflight and that the device can disconnect cleanly. This vulnerability affects Linux kernel versions containing the specified commit hashes and impacts systems using nbd devices, commonly employed in virtualization and storage scenarios.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments utilizing Linux-based virtualization or storage solutions that rely on the nbd subsystem, such as QEMU/KVM virtual machines or networked block storage setups. The IO hang can lead to denial of service conditions on affected hosts, causing virtual machines or storage services to become unresponsive or degraded. This can disrupt critical business operations, especially in data centers, cloud service providers, and enterprises with heavy reliance on Linux virtualization infrastructure. Additionally, prolonged IO hangs may lead to resource exhaustion, impacting system stability and availability. While this vulnerability does not directly enable privilege escalation or data leakage, the denial of service impact can have significant operational consequences. European organizations with large-scale Linux deployments, particularly in sectors like finance, telecommunications, and public services, may face increased risk due to their dependence on stable virtualization and storage services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49297 as soon as they become available, ensuring the nbd subsystem properly clears inflight requests during device disconnection. 2) Audit and monitor systems using nbd devices, particularly those running QEMU/KVM, for signs of IO hangs or blocked tasks related to nbd operations. 3) Implement proactive monitoring of kernel logs for hung task warnings and IO timeout messages to detect early signs of exploitation or impact. 4) Where possible, limit the use of nbd devices to trusted environments and restrict access to the nbd control interfaces to authorized users only, reducing the risk of triggering the vulnerability. 5) Consider deploying fallback or redundancy mechanisms for critical virtual machines and storage services to minimize downtime in case of IO hangs. 6) Engage with Linux distribution vendors and maintain an update schedule that prioritizes kernel security patches for production systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.302Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5588
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 5:26:32 AM
Last updated: 8/12/2025, 8:38:47 AM
Views: 14
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.