Cyber Resilience

CVE-2022-49411

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49411 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2022-49411 is a use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler. It arises when I/O requests, known as bios, are queued for a bfq_group (bfqg) associated with a cgroup that has already been offlined. This can result in the bfq_group being inserted into a service tree, only for it to be freed upon completion of the last associated bio, leading to use-after-free conditions for service tree users. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could grant high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or denial of service through kernel memory corruption.

Mitigation is provided through patches in Linux kernel stable releases, as detailed in the referenced commits (e.g., 075a53b78b815301f8d3dd1ee2cd99554e34f0dd, 51f724bffa3403a5236597e6b75df7329c1ec6e9). These fixes ensure that queuing operations always target online bfq_groups, falling back to the first online parent group if the associated bfq_group is not online. Security practitioners should apply these kernel updates to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bfq: Make sure bfqg for which we are queueing requests is online Bios queued into BFQ IO scheduler can be associated with a cgroup that was already offlined. This may…

more

then cause insertion of this bfq_group into a service tree. But this bfq_group will get freed as soon as last bio associated with it is completed leading to use after free issues for service tree users. Fix the problem by making sure we always operate on online bfq_group. If the bfq_group associated with the bio is not online, we pick the first online parent.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in BFQ scheduler directly enables privilege escalation via memory corruption and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.12 — 5.4.198 · 5.5 — 5.10.121 · 5.11 — 5.15.46

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely application of kernel patches that fix the use-after-free vulnerability in the BFQ I/O scheduler by ensuring only online bfq_groups are used for queuing bios.

prevent

Enforces secure kernel configuration settings, such as selecting a non-BFQ I/O scheduler (e.g., mq-deadline), to avoid triggering the vulnerable queuing logic on offlined cgroups.

detect

Vulnerability scanning identifies Linux kernel versions affected by CVE-2022-49411, enabling targeted remediation of the BFQ use-after-free flaw.

References