Cyber Resilience

CVE-2022-49168

High

Published: 26 February 2025

Published
26 February 2025
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49168 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49168 is a use-after-free (CWE-416) vulnerability in the Linux kernel's BTRFS filesystem implementation. It arises during repair bio handling when a bio submission fails: the submit helper invokes bio_endio() on the failed bio, but subsequent cleanup in the repair function races with this endio callback, leading to use-after-free errors and NULL pointer dereferences. The issue affects Linux kernel versions prior to the application of the relevant stable patches.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, which has a CVSS v3.1 base score of 7.8 (High). Exploitation requires only local access and low complexity, enabling high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes within the context of the BTRFS repair operations.

Mitigation involves applying upstream kernel patches from the provided stable commit references, such as https://git.kernel.org/stable/c/7170875083254b51fcc5d67f96640977083f481e and others. These patches modify the BTRFS repair logic to avoid manual bio cleanup on submission failure, instead returning BLK_STS_OK to allow the bio_endio() callback to handle page cleanup appropriately, thereby preventing the race condition. Security practitioners should update affected Linux distributions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clean up repair bio if submit fails The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio…

more

just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in BTRFS repair path directly enables exploitation for privilege escalation to achieve arbitrary code execution or system compromise from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 5.10.248 · 5.11 — 5.15.184 · 5.16 — 5.16.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly addressing CVE-2022-49168 by requiring application of Linux kernel patches to fix the BTRFS repair bio race condition.

prevent

SI-16 enforces memory protections such as kernel address space layout randomization and supervisor mode execution prevention, mitigating exploitation of the use-after-free vulnerability.

detect

RA-5 requires vulnerability scanning to detect the presence of CVE-2022-49168 in deployed Linux kernels, enabling proactive patching.

References