CVE-2022-49807 is a vulnerability identified in the Linux kernel specifically within the nvmet (NVMe target) subsystem. The issue is a memory leak occurring in the function nvmet_auth_set_key, which is responsible for managing authentication keys used in the NVMe over Fabrics (NVMe-oF) target implementation. The vulnerability arises when changing CHAP (Challenge-Handshake Authentication Protocol) secrets; the old secrets are not properly released, leading to unreleased memory allocations. This is evidenced by the kernel memory leak detector (kmemleak) reporting unreferenced objects related to the authentication keys. The backtrace shows the leak occurs during kernel string duplication (kstrdup) and configuration filesystem write operations (configfs_write_iter), indicating that the leak happens when configuration changes are applied to the nvmet subsystem. While the vulnerability does not directly allow code execution or privilege escalation, the memory leak can degrade system stability over time, potentially leading to resource exhaustion and denial of service (DoS) conditions on systems heavily utilizing NVMe-oF with CHAP authentication. The vulnerability has been fixed by ensuring that old secrets are properly freed when updated. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2022-49807 depends largely on their use of Linux systems as NVMe-oF targets, particularly in data centers, cloud providers, and enterprises with high-performance storage infrastructures. Organizations relying on NVMe-oF with CHAP authentication could experience gradual memory leaks leading to degraded performance or system crashes if the vulnerability is exploited or triggered by routine configuration changes. This could affect critical storage services, impacting availability and potentially causing downtime in environments where high availability is essential, such as financial institutions, healthcare providers, and industrial control systems. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting denial of service could disrupt business operations and service delivery. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to maintain system reliability.

To mitigate CVE-2022-49807, European organizations should: 1) Apply the latest Linux kernel patches that address the memory leak in nvmet_auth_set_key as soon as they become available from trusted Linux distribution vendors or the upstream kernel. 2) Monitor systems running NVMe-oF targets with CHAP authentication for unusual memory usage patterns or kernel memory leak warnings using tools like kmemleak or system monitoring solutions. 3) Implement configuration management best practices to minimize frequent changes to CHAP secrets unless necessary, reducing the risk of triggering the leak. 4) Conduct regular kernel updates and testing in staging environments to ensure stability and security of storage subsystems. 5) Engage with Linux vendor support channels for guidance on backporting fixes if using long-term support kernels. 6) Consider additional monitoring and alerting on storage subsystem health to detect early signs of resource exhaustion or performance degradation.