CVE-2022-49413
Linux Kernel bfq Use-After-Free Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: bfq: Update cgroup information before merging bio When the process is migrated to a different cgroup (or in case of writeback just starts submitting bios associated with a different cgroup) bfq_merge_bio() can operate with stale cgroup information in bic. Thus the bio can be merged to a request from a different cgroup or it can result in merging of bfqqs for different cgroups or bfqqs of already dead cgroups and causing possible use-after-free issues. Fix the problem by updating cgroup information in bfq_merge_bio().
INFO
Published Date :
Feb. 26, 2025, 7:01 a.m.
Last Modified :
March 24, 2025, 7:52 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
5.9
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2022-49413.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2022-49413 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2022-49413 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 24, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.121 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.46 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 5.17.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.18 up to (excluding) 5.18.3 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.12 up to (excluding) 5.4.198 Added Reference Type kernel.org: https://git.kernel.org/stable/c/2a1077f17169a6059992a0bbdb330e0abad1e6d9 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/b06691af08b41dfd81052a3362514d9827b44bb1 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/d9165200c5627a2cf4408eefabdf0058bdf95e1a Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/da9f3025d595956410ceaab2bea01980d7775948 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/e8821f45612f2e6d9adb9c6ba0fb4184f57692aa Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/ea591cd4eb270393810e7be01feb8fde6a34fbbe Types: Patch -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 27, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-416 -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Feb. 26, 2025
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: bfq: Update cgroup information before merging bio When the process is migrated to a different cgroup (or in case of writeback just starts submitting bios associated with a different cgroup) bfq_merge_bio() can operate with stale cgroup information in bic. Thus the bio can be merged to a request from a different cgroup or it can result in merging of bfqqs for different cgroups or bfqqs of already dead cgroups and causing possible use-after-free issues. Fix the problem by updating cgroup information in bfq_merge_bio(). Added Reference https://git.kernel.org/stable/c/2a1077f17169a6059992a0bbdb330e0abad1e6d9 Added Reference https://git.kernel.org/stable/c/b06691af08b41dfd81052a3362514d9827b44bb1 Added Reference https://git.kernel.org/stable/c/d9165200c5627a2cf4408eefabdf0058bdf95e1a Added Reference https://git.kernel.org/stable/c/da9f3025d595956410ceaab2bea01980d7775948 Added Reference https://git.kernel.org/stable/c/e8821f45612f2e6d9adb9c6ba0fb4184f57692aa Added Reference https://git.kernel.org/stable/c/ea591cd4eb270393810e7be01feb8fde6a34fbbe
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2022-49413 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2022-49413
weaknesses.