CVE-2022-49802 is a vulnerability in the Linux kernel's ftrace subsystem, specifically within the ftrace_add_mod() function. The issue arises because the ftrace_mod structure is allocated using kzalloc(), which zeroes memory, resulting in the prev and next pointers of the ftrace_mod->list member being NULL initially. When kstrdup() fails to allocate memory for the func or module members of ftrace_mod, the code jumps to an error handling label that calls free_ftrace_mod() to destroy the ftrace_mod instance. However, after this, list_del() is called on the list member without proper initialization, leading to a null pointer dereference since prev and next pointers are NULL. This causes a kernel NULL pointer dereference at address 0x8, triggering a kernel panic and system crash. The root cause is the missing call to INIT_LIST_HEAD() to properly initialize the list pointers before list_del() is invoked. This vulnerability can be triggered by writing to the ftrace_regex interface, as indicated by the call trace involving ftrace_regex_write and related functions. Exploiting this bug results in a denial of service (DoS) due to kernel panic and system unavailability. The vulnerability affects Linux kernel versions identified by the commit hash 673feb9d76ab3eddde7acfd94b206e321cfc90b9 and likely other related versions. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The fix involves adding INIT_LIST_HEAD() to properly initialize the list member to prevent null pointer dereference during error handling.

For European organizations relying on Linux-based systems, this vulnerability poses a risk of denial of service through kernel panics triggered by malformed inputs to the ftrace subsystem. Systems running affected kernel versions could be crashed remotely or locally if an attacker has the ability to write to the ftrace_regex interface or otherwise trigger the vulnerable code path. This could disrupt critical services, especially in environments where Linux is used for servers, networking equipment, or embedded devices. The impact is primarily availability loss, causing downtime and potential operational disruption. Confidentiality and integrity impacts are not evident from this vulnerability alone. However, repeated crashes could lead to system instability and increased maintenance overhead. Organizations in sectors such as finance, telecommunications, healthcare, and critical infrastructure in Europe, which heavily depend on Linux servers, could face operational risks if unpatched. The lack of known exploits reduces immediate threat but does not eliminate risk, especially as attackers may develop exploits once the vulnerability is public.

European organizations should prioritize patching affected Linux kernel versions by applying vendor-provided updates that include the fix for CVE-2022-49802. If immediate patching is not possible, restricting access to the ftrace interfaces, particularly ftrace_regex, can reduce exposure. This can be achieved by limiting permissions to trusted users and processes, and by using kernel lockdown features or mandatory access controls (e.g., SELinux, AppArmor) to prevent unauthorized writes to ftrace controls. Monitoring kernel logs for OOPS or panic messages related to ftrace can help detect exploitation attempts. Additionally, organizations should implement robust system integrity monitoring and maintain backups to enable rapid recovery from crashes. For embedded or specialized Linux systems, coordinate with vendors to ensure firmware or kernel updates are applied. Finally, educating system administrators about this vulnerability and its symptoms will aid in early detection and response.