CVE-2022-49623 is a vulnerability identified in the Linux kernel specifically affecting the powerpc/xive/spapr subsystem. The issue arises from an incorrect bitmap allocation size during the initialization of the interrupt request (IRQ) bitmap. The vulnerability is a slab-out-of-bounds memory access detected by Kernel Address Sanitizer (KASAN), which indicates that the kernel attempts to read beyond the allocated memory boundary of a bitmap object. The root cause is the use of an incorrect unit (bits) for allocation size instead of the correct calculation involving BITS_TO_LONGS(count) multiplied by sizeof(long). This miscalculation can lead to the allocated memory being smaller than required, especially when dealing with small bit counts, resulting in invalid memory accesses. The affected code path involves functions such as _find_first_zero_bit, xive_spapr_get_ipi, and xive_setup_cpu_ipi, which are part of the interrupt controller setup on PowerPC architectures. The vulnerability manifests during kernel initialization and CPU interrupt setup, potentially causing kernel crashes or undefined behavior due to memory corruption. The recommended fix involves using bitmap_zalloc() for allocation and bitmap_free() for deallocation to ensure proper size and initialization of the bitmap. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations relying on Linux systems running on PowerPC architectures, particularly those using the xive interrupt controller subsystem (common in IBM Power Systems), this vulnerability could lead to kernel instability or denial of service due to memory corruption during CPU interrupt initialization. While exploitation requires kernel-level access or conditions during system boot or CPU setup, a successful attack or accidental trigger could cause system crashes, impacting availability of critical infrastructure or services. This is particularly relevant for data centers, cloud providers, and enterprises using IBM Power-based servers for high-performance computing or enterprise workloads. Confidentiality and integrity impacts are limited unless combined with other vulnerabilities, but availability degradation could disrupt business operations. Since the flaw occurs during kernel initialization, remote exploitation is unlikely without prior access, but local attackers or malicious insiders could potentially trigger the issue to cause denial of service.

European organizations should ensure that their Linux kernel versions are updated to include the patch that corrects the bitmap allocation size in the powerpc/xive/spapr subsystem. Specifically, they should: 1) Apply the latest stable Linux kernel updates from trusted vendors or distributions that address CVE-2022-49623. 2) For custom or embedded Linux builds on PowerPC platforms, review and patch the kernel source code to replace incorrect bitmap allocation with bitmap_zalloc() and bitmap_free() usage as recommended. 3) Conduct thorough testing of kernel updates in staging environments to verify stability and absence of regressions. 4) Monitor kernel logs for KASAN or slab-out-of-bounds warnings that may indicate attempts to trigger this vulnerability. 5) Limit local access to systems running vulnerable kernels to reduce risk of exploitation by unprivileged users. 6) Maintain robust backup and recovery procedures to mitigate potential availability impacts from kernel crashes. These steps go beyond generic advice by focusing on architecture-specific kernel patching and operational controls relevant to PowerPC Linux environments.