CVE-2022-49902 is a vulnerability identified in the Linux kernel related to a potential memory leak in the block device subsystem. Specifically, the issue arises in the function device_add_disk(), which is responsible for adding a disk device to the system. The vulnerability is caused by improper error handling in the code path when adding a disk fails. During normal operation, memory allocated by the function wbt_enable_default() for the writeback throttling (wbt) subsystem is released properly via a sequence of calls culminating in rq_qos_exit(), which frees the rq_wb memory. However, in the error path of device_add_disk(), only blk_unregister_queue() is called without invoking rq_qos_exit(), resulting in the rq_wb memory not being freed and thus leaking. The memory leak was detected by kmemleak, a kernel memory leak detector, which reported unreferenced objects associated with the modprobe process. The fix involves adding a call to rq_qos_exit() in the error path of device_add_disk() to ensure proper cleanup of allocated memory. This vulnerability does not appear to have known exploits in the wild and does not have an assigned CVSS score. It affects Linux kernel versions identified by the commit hash 83cbce9574462c6b4eed6797bdaf18fae6859ab3 and likely other versions containing the vulnerable code. The issue is technical and subtle, related to kernel memory management and device registration error handling.

The primary impact of this vulnerability is a potential memory leak in the Linux kernel when adding block devices fails. For European organizations, especially those running Linux servers, embedded systems, or infrastructure relying on dynamic device management, this could lead to gradual memory exhaustion on affected systems. Over time, repeated failures in adding disks could cause increased memory consumption, potentially degrading system performance or causing instability. While this vulnerability does not directly enable code execution, privilege escalation, or data leakage, the resulting resource exhaustion could disrupt critical services, particularly in environments with high device churn or automated device management. Systems used in data centers, cloud infrastructure, or industrial control that rely on Linux kernels with the vulnerable code are at risk. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed to maintain system reliability and prevent denial-of-service conditions caused by memory leaks.

To mitigate this vulnerability, European organizations should: 1) Apply the official Linux kernel patches that fix the memory leak by ensuring rq_qos_exit() is called in the error path of device_add_disk(). This is the definitive fix and should be prioritized. 2) Monitor system logs and use kernel memory leak detection tools such as kmemleak to identify any abnormal memory usage patterns related to block device management. 3) Implement robust error handling and alerting for device addition failures to detect and respond to potential issues early. 4) For critical systems, consider kernel updates during scheduled maintenance windows to minimize disruption. 5) If immediate patching is not feasible, limit dynamic disk addition operations or automate system reboots to clear leaked memory as a temporary workaround. 6) Maintain up-to-date inventories of Linux kernel versions deployed across infrastructure to identify vulnerable systems quickly. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels.