CVE-2022-49309 is a concurrency vulnerability in the Linux kernel specifically affecting the rtl8723bs wireless driver located in the staging drivers section. The issue arises from a deadlock condition in the function rtw_surveydone_event_callback(). The deadlock occurs due to improper locking and timer handling synchronization. Thread 1 holds the pmlmepriv->lock via spin_lock_bh() and calls del_timer_sync() to wait for a timer to stop. Meanwhile, Thread 2, which is the timer handler (rtw_scan_timeout_handler()), attempts to acquire the same lock using spin_lock_bh(). Since Thread 1 is waiting for the timer to stop while holding the lock, and the timer handler cannot proceed without acquiring the lock, both threads end up waiting indefinitely, causing a deadlock. The patch resolves this by moving del_timer_sync() outside the spin_lock_bh() protection in Thread 1, allowing the timer handler to acquire the lock as needed. Additionally, the spin_lock_bh() in the timer handler is replaced with spin_lock_irq() to prevent deadlocks caused by interrupt context locking conflicts. This fix ensures proper synchronization and prevents the kernel from hanging due to this deadlock scenario in the wireless driver. The vulnerability affects Linux kernel versions containing the specified commit hash and is related to the rtl8723bs wireless chipset driver, which is commonly used in embedded and mobile devices. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of this vulnerability could be significant in environments where devices running affected Linux kernels utilize the rtl8723bs wireless driver. This includes embedded systems, IoT devices, and potentially laptops or mobile devices using this chipset. The deadlock can cause the kernel to hang or freeze, leading to denial of service (DoS) conditions on affected devices. This could disrupt critical network connectivity, especially in industrial, healthcare, or enterprise environments relying on wireless communications. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can affect operational continuity. Organizations with large deployments of Linux-based wireless devices or embedded systems in their infrastructure could face increased downtime or require emergency patching. The absence of known exploits reduces immediate risk, but the potential for local denial of service remains a concern, especially in sensitive or high-availability environments.

To mitigate this vulnerability, European organizations should: 1) Identify and inventory devices running Linux kernels with the rtl8723bs driver, focusing on embedded, IoT, and mobile devices. 2) Apply the official Linux kernel patches that fix the deadlock by updating to a kernel version that includes the fix for CVE-2022-49309. 3) For devices where kernel updates are not immediately feasible, consider temporary workarounds such as disabling the rtl8723bs wireless driver if wireless connectivity is not critical or using alternative wireless hardware. 4) Implement monitoring to detect kernel hangs or system freezes that could indicate deadlock conditions. 5) Coordinate with device vendors to ensure timely firmware or kernel updates are provided and deployed. 6) Incorporate this vulnerability into vulnerability management and patching cycles to ensure ongoing compliance and risk reduction. 7) Test kernel updates in controlled environments before wide deployment to avoid unintended side effects.