CVE-2022-49168
Published: 26 February 2025
Summary
CVE-2022-49168 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49168 is a use-after-free (CWE-416) vulnerability in the Linux kernel's BTRFS filesystem implementation. It arises during repair bio handling when a bio submission fails: the submit helper invokes bio_endio() on the failed bio, but subsequent cleanup in the repair function races with this endio callback, leading to use-after-free errors and NULL pointer dereferences. The issue affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, which has a CVSS v3.1 base score of 7.8 (High). Exploitation requires only local access and low complexity, enabling high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes within the context of the BTRFS repair operations.
Mitigation involves applying upstream kernel patches from the provided stable commit references, such as https://git.kernel.org/stable/c/7170875083254b51fcc5d67f96640977083f481e and others. These patches modify the BTRFS repair logic to avoid manual bio cleanup on submission failure, instead returning BLK_STS_OK to allow the bio_endio() callback to handle page cleanup appropriately, thereby preventing the race condition. Security practitioners should update affected Linux distributions incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55057
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clean up repair bio if submit fails The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio…
more
just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in BTRFS repair path directly enables exploitation for privilege escalation to achieve arbitrary code execution or system compromise from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely flaw remediation, directly addressing CVE-2022-49168 by requiring application of Linux kernel patches to fix the BTRFS repair bio race condition.
SI-16 enforces memory protections such as kernel address space layout randomization and supervisor mode execution prevention, mitigating exploitation of the use-after-free vulnerability.
RA-5 requires vulnerability scanning to detect the presence of CVE-2022-49168 in deployed Linux kernels, enabling proactive patching.