CVE-2022-49377 is a high-severity use-after-free vulnerability in the Linux kernel's block multi-queue (blk-mq) subsystem. The blk-mq subsystem is responsible for managing block device I/O queues efficiently by distributing requests across multiple hardware queues. The vulnerability arises in the function blk_mq_run_hw_queues(), which can be invoked even when there are no queued requests and after the request queue has been cleaned up. During this state, the 'tagset' pointer, which is managed by the device driver and typically freed after blk_cleanup_queue() returns, may be accessed. The Linux kernel code previously attempted to access the 'tagset' to determine the current default hardware context (hctx) by using a mapping built in the request queue. However, because the 'tagset' may have been freed, this results in a use-after-free condition (CWE-416). This flaw can lead to memory corruption, potentially allowing an attacker with limited privileges (local access with low privileges) to escalate their privileges, cause denial of service through kernel crashes, or execute arbitrary code within the kernel context. The fix involves avoiding touching the 'tagset' pointer and instead using a safer and faster method to retrieve the current default hctx without relying on the freed memory. The vulnerability has a CVSS 3.1 score of 7.8, indicating high severity, with attack vector local, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk especially to environments running Linux kernels with the affected blk-mq implementation, which includes many enterprise servers, cloud infrastructure, and embedded systems. Exploitation could allow attackers with local access to escalate privileges to root, potentially leading to full system compromise. This could result in unauthorized data access, data manipulation, or disruption of critical services. Given the widespread use of Linux in European data centers, telecommunications, government, and industrial control systems, successful exploitation could impact confidentiality of sensitive data, integrity of critical operations, and availability of services. The vulnerability is particularly concerning for multi-tenant cloud providers and hosting services common in Europe, where a compromised virtual machine or container could be leveraged to attack the underlying host kernel. Additionally, industries relying on Linux-based embedded devices (e.g., manufacturing, automotive) could face operational disruptions. The absence of known exploits reduces immediate risk but does not eliminate the threat, as the vulnerability is publicly disclosed and could be weaponized by attackers.

European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, ensuring the fix that avoids use-after-free on the 'tagset' pointer is applied. In environments where immediate patching is not feasible, organizations should implement strict access controls to limit local user privileges and restrict untrusted users from executing code or commands on vulnerable systems. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling security modules like SELinux or AppArmor can reduce exploitation likelihood. Monitoring system logs and kernel crash reports for anomalies related to blk-mq operations can help detect attempted exploitation. For cloud providers, isolating tenants and using virtualization security best practices can mitigate lateral movement risks. Regularly auditing and updating Linux distributions to supported versions with security patches is essential. Finally, organizations should maintain incident response readiness to quickly address any exploitation attempts.