CVE-2022-49411
Published: 26 February 2025
Summary
CVE-2022-49411 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49411 is a use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler. It arises when I/O requests, known as bios, are queued for a bfq_group (bfqg) associated with a cgroup that has already been offlined. This can result in the bfq_group being inserted into a service tree, only for it to be freed upon completion of the last associated bio, leading to use-after-free conditions for service tree users. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could grant high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or denial of service through kernel memory corruption.
Mitigation is provided through patches in Linux kernel stable releases, as detailed in the referenced commits (e.g., 075a53b78b815301f8d3dd1ee2cd99554e34f0dd, 51f724bffa3403a5236597e6b75df7329c1ec6e9). These fixes ensure that queuing operations always target online bfq_groups, falling back to the first online parent group if the associated bfq_group is not online. Security practitioners should apply these kernel updates to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54818
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bfq: Make sure bfqg for which we are queueing requests is online Bios queued into BFQ IO scheduler can be associated with a cgroup that was already offlined. This may…
more
then cause insertion of this bfq_group into a service tree. But this bfq_group will get freed as soon as last bio associated with it is completed leading to use after free issues for service tree users. Fix the problem by making sure we always operate on online bfq_group. If the bfq_group associated with the bio is not online, we pick the first online parent.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in BFQ scheduler directly enables privilege escalation via memory corruption and arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely application of kernel patches that fix the use-after-free vulnerability in the BFQ I/O scheduler by ensuring only online bfq_groups are used for queuing bios.
Enforces secure kernel configuration settings, such as selecting a non-BFQ I/O scheduler (e.g., mq-deadline), to avoid triggering the vulnerable queuing logic on offlined cgroups.
Vulnerability scanning identifies Linux kernel versions affected by CVE-2022-49411, enabling targeted remediation of the BFQ use-after-free flaw.