CVE-2022-49465: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: blk-throttle: Set BIO_THROTTLED when bio has been throttled 1.In current process, all bio will set the BIO_THROTTLED flag after __blk_throtl_bio(). 2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blk_throtl_dispatch_work_fn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow. BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380 dump_stack+0x9b/0xce print_address_description.constprop.6+0x3e/0x60 kasan_report.cold.9+0x22/0x3a blk_throtl_bio+0x12f0/0x2c70 submit_bio_checks+0x701/0x1550 submit_bio_noacct+0x83/0xc80 submit_bio+0xa7/0x330 mpage_readahead+0x380/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 26380: kasan_save_stack+0x19/0x40 __kasan_kmalloc.constprop.2+0xc1/0xd0 kmem_cache_alloc+0x146/0x440 mempool_alloc+0x125/0x2f0 bio_alloc_bioset+0x353/0x590 mpage_alloc+0x3b/0x240 do_mpage_readpage+0xddf/0x1ef0 mpage_readahead+0x264/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: kasan_save_stack+0x19/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x111/0x160 kmem_cache_free+0x94/0x460 mempool_free+0xd6/0x320 bio_free+0xe0/0x130 bio_put+0xab/0xe0 bio_endio+0x3a6/0x5d0 blk_update_request+0x590/0x1370 scsi_end_request+0x7d/0x400 scsi_io_completion+0x1aa/0xe50 scsi_softirq_done+0x11b/0x240 blk_mq_complete_request+0xd4/0x120 scsi_mq_done+0xf0/0x200 virtscsi_vq_done+0xbc/0x150 vring_interrupt+0x179/0x390 __handle_irq_event_percpu+0xf7/0x490 handle_irq_event_percpu+0x7b/0x160 handle_irq_event+0xcc/0x170 handle_edge_irq+0x215/0xb20 common_interrupt+0x60/0x120 asm_common_interrupt+0x1e/0x40 Fix this by move BIO_THROTTLED set into the queue_lock.
AI Analysis
Technical Summary
CVE-2022-49465 is a high-severity use-after-free vulnerability in the Linux kernel's block layer throttling mechanism (blk-throttle). The vulnerability arises from improper handling of the BIO_THROTTLED flag in the blk_throtl_bio() function. When a block I/O (bio) operation is throttled, the kernel sets the BIO_THROTTLED flag and starts a timer to delay the submission of the bio. However, if the bio completes before the timer expires, the kernel may still attempt to access the bio after it has been freed, leading to a use-after-free condition. This is evidenced by the Kernel Address Sanitizer (KASAN) reports showing reads from freed memory addresses during bio processing. The root cause is that the BIO_THROTTLED flag is set outside the protection of the queue_lock, allowing a race condition where the bio can be freed concurrently. The fix involves moving the BIO_THROTTLED flag setting inside the queue_lock to prevent this race. The vulnerability affects Linux kernel versions identified by the commit hash 2a0f61e6ecd08d260054bde4b096ff207ce5350f and likely other versions containing the same flawed code. The CVSS 3.1 score is 7.8 (high), with attack vector local, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality, integrity, and availability. Exploitation could allow a local attacker with some privileges to cause kernel memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for servers and infrastructure running Linux kernels with the affected blk-throttle code. Since Linux is widely used in enterprise environments, cloud providers, and critical infrastructure across Europe, exploitation could lead to system crashes, data corruption, or privilege escalation, undermining system integrity and availability. Organizations relying on Linux-based storage servers, virtualization hosts, or container platforms are particularly at risk. The vulnerability requires local access with some privileges, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt services. This could impact sectors such as finance, healthcare, government, and telecommunications, where Linux servers are prevalent and availability and data integrity are critical. The use-after-free nature also increases the risk of unpredictable kernel behavior, complicating incident response and recovery.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring the BIO_THROTTLED flag is set under queue_lock protection. Since the vulnerability requires local privileges, organizations should enforce strict access controls and monitor for suspicious local activity. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Limit the use of untrusted or unnecessary local accounts and implement robust privilege separation. For environments where immediate patching is not feasible, consider disabling or restricting blk-throttle features if possible, or isolating critical workloads to minimize exposure. Regularly audit kernel versions and configurations across infrastructure to identify vulnerable systems. Additionally, enhance logging and monitoring for kernel errors or crashes related to block I/O operations to detect potential exploitation attempts early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49465: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: blk-throttle: Set BIO_THROTTLED when bio has been throttled 1.In current process, all bio will set the BIO_THROTTLED flag after __blk_throtl_bio(). 2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blk_throtl_dispatch_work_fn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow. BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380 dump_stack+0x9b/0xce print_address_description.constprop.6+0x3e/0x60 kasan_report.cold.9+0x22/0x3a blk_throtl_bio+0x12f0/0x2c70 submit_bio_checks+0x701/0x1550 submit_bio_noacct+0x83/0xc80 submit_bio+0xa7/0x330 mpage_readahead+0x380/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 26380: kasan_save_stack+0x19/0x40 __kasan_kmalloc.constprop.2+0xc1/0xd0 kmem_cache_alloc+0x146/0x440 mempool_alloc+0x125/0x2f0 bio_alloc_bioset+0x353/0x590 mpage_alloc+0x3b/0x240 do_mpage_readpage+0xddf/0x1ef0 mpage_readahead+0x264/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: kasan_save_stack+0x19/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x111/0x160 kmem_cache_free+0x94/0x460 mempool_free+0xd6/0x320 bio_free+0xe0/0x130 bio_put+0xab/0xe0 bio_endio+0x3a6/0x5d0 blk_update_request+0x590/0x1370 scsi_end_request+0x7d/0x400 scsi_io_completion+0x1aa/0xe50 scsi_softirq_done+0x11b/0x240 blk_mq_complete_request+0xd4/0x120 scsi_mq_done+0xf0/0x200 virtscsi_vq_done+0xbc/0x150 vring_interrupt+0x179/0x390 __handle_irq_event_percpu+0xf7/0x490 handle_irq_event_percpu+0x7b/0x160 handle_irq_event+0xcc/0x170 handle_edge_irq+0x215/0xb20 common_interrupt+0x60/0x120 asm_common_interrupt+0x1e/0x40 Fix this by move BIO_THROTTLED set into the queue_lock.
AI-Powered Analysis
Technical Analysis
CVE-2022-49465 is a high-severity use-after-free vulnerability in the Linux kernel's block layer throttling mechanism (blk-throttle). The vulnerability arises from improper handling of the BIO_THROTTLED flag in the blk_throtl_bio() function. When a block I/O (bio) operation is throttled, the kernel sets the BIO_THROTTLED flag and starts a timer to delay the submission of the bio. However, if the bio completes before the timer expires, the kernel may still attempt to access the bio after it has been freed, leading to a use-after-free condition. This is evidenced by the Kernel Address Sanitizer (KASAN) reports showing reads from freed memory addresses during bio processing. The root cause is that the BIO_THROTTLED flag is set outside the protection of the queue_lock, allowing a race condition where the bio can be freed concurrently. The fix involves moving the BIO_THROTTLED flag setting inside the queue_lock to prevent this race. The vulnerability affects Linux kernel versions identified by the commit hash 2a0f61e6ecd08d260054bde4b096ff207ce5350f and likely other versions containing the same flawed code. The CVSS 3.1 score is 7.8 (high), with attack vector local, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality, integrity, and availability. Exploitation could allow a local attacker with some privileges to cause kernel memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for servers and infrastructure running Linux kernels with the affected blk-throttle code. Since Linux is widely used in enterprise environments, cloud providers, and critical infrastructure across Europe, exploitation could lead to system crashes, data corruption, or privilege escalation, undermining system integrity and availability. Organizations relying on Linux-based storage servers, virtualization hosts, or container platforms are particularly at risk. The vulnerability requires local access with some privileges, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt services. This could impact sectors such as finance, healthcare, government, and telecommunications, where Linux servers are prevalent and availability and data integrity are critical. The use-after-free nature also increases the risk of unpredictable kernel behavior, complicating incident response and recovery.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring the BIO_THROTTLED flag is set under queue_lock protection. Since the vulnerability requires local privileges, organizations should enforce strict access controls and monitor for suspicious local activity. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. Limit the use of untrusted or unnecessary local accounts and implement robust privilege separation. For environments where immediate patching is not feasible, consider disabling or restricting blk-throttle features if possible, or isolating critical workloads to minimize exposure. Regularly audit kernel versions and configurations across infrastructure to identify vulnerable systems. Additionally, enhance logging and monitoring for kernel errors or crashes related to block I/O operations to detect potential exploitation attempts early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.577Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf94
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/6/2025, 5:54:34 AM
Last updated: 8/11/2025, 6:52:41 AM
Views: 15
Related Threats
CVE-2025-8932: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-8931: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8930: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.