CVE-2022-49412: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bfq: Avoid merging queues with different parents It can happen that the parent of a bfqq changes between the moment we decide two queues are worth to merge (and set bic->stable_merge_bfqq) and the moment bfq_setup_merge() is called. This can happen e.g. because the process submitted IO for a different cgroup and thus bfqq got reparented. It can even happen that the bfqq we are merging with has parent cgroup that is already offline and going to be destroyed in which case the merge can lead to use-after-free issues such as: BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x46/0x5a print_address_description.constprop.0+0x1f/0x140 ? __bfq_deactivate_entity+0x9cb/0xa50 kasan_report.cold+0x7f/0x11b ? __bfq_deactivate_entity+0x9cb/0xa50 __bfq_deactivate_entity+0x9cb/0xa50 ? update_curr+0x32f/0x5d0 bfq_deactivate_entity+0xa0/0x1d0 bfq_del_bfqq_busy+0x28a/0x420 ? resched_curr+0x116/0x1d0 ? bfq_requeue_bfqq+0x70/0x70 ? check_preempt_wakeup+0x52b/0xbc0 __bfq_bfqq_expire+0x1a2/0x270 bfq_bfqq_expire+0xd16/0x2160 ? try_to_wake_up+0x4ee/0x1260 ? bfq_end_wr_async_queues+0xe0/0xe0 ? _raw_write_unlock_bh+0x60/0x60 ? _raw_spin_lock_irq+0x81/0xe0 bfq_idle_slice_timer+0x109/0x280 ? bfq_dispatch_request+0x4870/0x4870 __hrtimer_run_queues+0x37d/0x700 ? enqueue_hrtimer+0x1b0/0x1b0 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_update_offsets_now+0x6f/0x280 hrtimer_interrupt+0x2c8/0x740 Fix the problem by checking that the parent of the two bfqqs we are merging in bfq_setup_merge() is the same.
AI Analysis
Technical Summary
CVE-2022-49412 is a high-severity vulnerability in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler. The flaw arises from improper handling of queue merging when the parent cgroup of a bfqq (BFQ queue) changes between the decision to merge two queues and the actual merge operation. Specifically, the vulnerability occurs because the parent of a bfqq can be reparented due to changes in the cgroup associated with the process submitting I/O. This can lead to a use-after-free condition if the bfqq being merged has a parent cgroup that is offline and scheduled for destruction. The use-after-free manifests as a kernel memory corruption, which can cause system instability, crashes (kernel panics), or potentially allow an attacker to execute arbitrary code with kernel privileges. The vulnerability is tracked as CWE-416 (Use After Free). The technical root cause is that the BFQ scheduler does not verify that the parents of the two bfqqs remain the same at the time of merging, leading to unsafe memory access. The fix involves adding a check in bfq_setup_merge() to ensure that the parents of the bfqqs are identical before merging. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the BFQ I/O scheduler, which is common in many Linux distributions, including those used in enterprise and cloud environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for servers and infrastructure running Linux kernels with the BFQ scheduler enabled. Exploitation can lead to kernel crashes causing denial of service, or potentially privilege escalation allowing attackers to gain root access. This is critical for data centers, cloud providers, and enterprises relying on Linux for critical workloads, as it can compromise confidentiality, integrity, and availability of sensitive data and services. The vulnerability could be exploited by local attackers or compromised processes with limited privileges, including containerized environments (e.g., Docker, Kubernetes) where processes run with restricted permissions but share the kernel. Given the widespread use of Linux in European public sector, finance, telecommunications, and industrial control systems, the impact could be broad. Additionally, disruption of critical infrastructure or cloud services could have cascading effects on dependent businesses and services across Europe.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49412. If immediate patching is not feasible, mitigating controls include disabling the BFQ I/O scheduler or switching to alternative schedulers such as CFQ or deadline, where appropriate. Organizations should audit their Linux systems to identify usage of the BFQ scheduler, especially on critical servers and container hosts. Implement strict access controls to limit local user privileges and container escape risks. Monitoring kernel logs for signs of use-after-free errors or kernel panics can help detect exploitation attempts. Additionally, organizations should ensure that cgroup configurations are properly managed to avoid unexpected reparenting scenarios. Regular vulnerability scanning and integration of kernel updates into patch management workflows are essential. For cloud environments, coordinate with providers to confirm kernel patch status and scheduler configurations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49412: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bfq: Avoid merging queues with different parents It can happen that the parent of a bfqq changes between the moment we decide two queues are worth to merge (and set bic->stable_merge_bfqq) and the moment bfq_setup_merge() is called. This can happen e.g. because the process submitted IO for a different cgroup and thus bfqq got reparented. It can even happen that the bfqq we are merging with has parent cgroup that is already offline and going to be destroyed in which case the merge can lead to use-after-free issues such as: BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x46/0x5a print_address_description.constprop.0+0x1f/0x140 ? __bfq_deactivate_entity+0x9cb/0xa50 kasan_report.cold+0x7f/0x11b ? __bfq_deactivate_entity+0x9cb/0xa50 __bfq_deactivate_entity+0x9cb/0xa50 ? update_curr+0x32f/0x5d0 bfq_deactivate_entity+0xa0/0x1d0 bfq_del_bfqq_busy+0x28a/0x420 ? resched_curr+0x116/0x1d0 ? bfq_requeue_bfqq+0x70/0x70 ? check_preempt_wakeup+0x52b/0xbc0 __bfq_bfqq_expire+0x1a2/0x270 bfq_bfqq_expire+0xd16/0x2160 ? try_to_wake_up+0x4ee/0x1260 ? bfq_end_wr_async_queues+0xe0/0xe0 ? _raw_write_unlock_bh+0x60/0x60 ? _raw_spin_lock_irq+0x81/0xe0 bfq_idle_slice_timer+0x109/0x280 ? bfq_dispatch_request+0x4870/0x4870 __hrtimer_run_queues+0x37d/0x700 ? enqueue_hrtimer+0x1b0/0x1b0 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_update_offsets_now+0x6f/0x280 hrtimer_interrupt+0x2c8/0x740 Fix the problem by checking that the parent of the two bfqqs we are merging in bfq_setup_merge() is the same.
AI-Powered Analysis
Technical Analysis
CVE-2022-49412 is a high-severity vulnerability in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler. The flaw arises from improper handling of queue merging when the parent cgroup of a bfqq (BFQ queue) changes between the decision to merge two queues and the actual merge operation. Specifically, the vulnerability occurs because the parent of a bfqq can be reparented due to changes in the cgroup associated with the process submitting I/O. This can lead to a use-after-free condition if the bfqq being merged has a parent cgroup that is offline and scheduled for destruction. The use-after-free manifests as a kernel memory corruption, which can cause system instability, crashes (kernel panics), or potentially allow an attacker to execute arbitrary code with kernel privileges. The vulnerability is tracked as CWE-416 (Use After Free). The technical root cause is that the BFQ scheduler does not verify that the parents of the two bfqqs remain the same at the time of merging, leading to unsafe memory access. The fix involves adding a check in bfq_setup_merge() to ensure that the parents of the bfqqs are identical before merging. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using the BFQ I/O scheduler, which is common in many Linux distributions, including those used in enterprise and cloud environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for servers and infrastructure running Linux kernels with the BFQ scheduler enabled. Exploitation can lead to kernel crashes causing denial of service, or potentially privilege escalation allowing attackers to gain root access. This is critical for data centers, cloud providers, and enterprises relying on Linux for critical workloads, as it can compromise confidentiality, integrity, and availability of sensitive data and services. The vulnerability could be exploited by local attackers or compromised processes with limited privileges, including containerized environments (e.g., Docker, Kubernetes) where processes run with restricted permissions but share the kernel. Given the widespread use of Linux in European public sector, finance, telecommunications, and industrial control systems, the impact could be broad. Additionally, disruption of critical infrastructure or cloud services could have cascading effects on dependent businesses and services across Europe.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49412. If immediate patching is not feasible, mitigating controls include disabling the BFQ I/O scheduler or switching to alternative schedulers such as CFQ or deadline, where appropriate. Organizations should audit their Linux systems to identify usage of the BFQ scheduler, especially on critical servers and container hosts. Implement strict access controls to limit local user privileges and container escape risks. Monitoring kernel logs for signs of use-after-free errors or kernel panics can help detect exploitation attempts. Additionally, organizations should ensure that cgroup configurations are properly managed to avoid unexpected reparenting scenarios. Regular vulnerability scanning and integration of kernel updates into patch management workflows are essential. For cloud environments, coordinate with providers to confirm kernel patch status and scheduler configurations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.567Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe593a
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:57:25 AM
Last updated: 8/15/2025, 4:39:23 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.