CVE-2022-49822 is a vulnerability identified in the Linux kernel's CIFS (Common Internet File System) module. The issue arises when the tlink setup process fails during CIFS operations. Specifically, if the tlink setup fails, the kernel fails to properly release or put the connections, leading to a reference count (refcnt) leak. This leak occurs because the CIFS server daemon (cifsd) kernel thread does not exit as expected, causing resources to remain allocated unnecessarily. Additionally, the vulnerability causes a leak in the fscache information, which is a caching mechanism used to improve performance for network file systems. As a result, subsequent mounts using fscache may encounter errors such as "CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)", indicating that stale cache entries persist due to improper cleanup. The root cause is the lack of proper error handling and cleanup after a failed tlink setup, which leads to resource leaks and potential instability in the CIFS subsystem. This vulnerability was addressed by adding checks on the tlink setup result and ensuring appropriate cleanup is performed to prevent resource leakage. The affected versions appear to be specific kernel commits or builds, and no known exploits are currently reported in the wild. No CVSS score has been assigned yet.

For European organizations, this vulnerability could lead to resource exhaustion on Linux systems running CIFS services or clients, particularly those heavily relying on network file sharing with Windows or SMB-based systems. The resource leaks may degrade system performance over time, potentially causing denial of service conditions if the kernel threads accumulate without proper termination. This can affect availability of critical file sharing services, impacting business operations that depend on seamless access to shared resources. While the vulnerability does not directly allow remote code execution or privilege escalation, the resulting instability and error conditions could disrupt workflows and require system reboots or manual intervention. Organizations with large-scale Linux deployments using CIFS for network storage or file sharing are at greater risk. Additionally, the error messages related to fscache may complicate troubleshooting and lead to misdiagnosis of storage or network issues. Since no exploits are known in the wild, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or operational disruptions.

European organizations should prioritize applying the Linux kernel patches that address this vulnerability as soon as they become available from their Linux distribution vendors. Specifically, ensure that kernel updates include the fix for proper cleanup after tlink setup failures in the CIFS module. System administrators should monitor CIFS-related logs for error messages indicating cache volume key conflicts or connection leaks, which may signal unpatched systems or ongoing issues. It is advisable to implement proactive monitoring of kernel thread counts and resource usage related to CIFS daemons to detect abnormal growth that could indicate leaks. For critical systems, consider scheduling regular reboots or service restarts as a temporary mitigation until patches are applied. Additionally, review and limit the use of CIFS mounts where possible, or consider alternative protocols if feasible. Network segmentation and strict access controls on SMB/CIFS services can reduce exposure. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential service disruptions caused by this vulnerability.