CVE-2022-49413
Published: 26 February 2025
Summary
CVE-2022-49413 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49413 is a use-after-free vulnerability (CWE-416) in the Linux kernel's BFQ I/O scheduler. The issue arises in the bfq_merge_bio() function, which can operate with stale cgroup information stored in the block I/O context (bic). This staleness occurs when a process migrates to a different cgroup or when writeback begins submitting I/O operations (bios) associated with a different cgroup. As a result, bios may merge with requests from unrelated cgroups, or bfqq queues from different or already terminated cgroups may merge, leading to potential use-after-free memory corruption. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by inducing cgroup migrations or writeback scenarios involving mismatched cgroups. This triggers improper bio or queue merging in the kernel, enabling use-after-free access to freed memory. Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability effects, such as arbitrary code execution, privilege escalation, or system crashes.
Mitigation involves applying upstream patches that update cgroup information in bfq_merge_bio() prior to merging bios. Relevant stable kernel commits include 2a1077f17169a6059992a0bbdb330e0abad1e6d9, b06691af08b41dfd81052a3362514d9827b44bb1, d9165200c5627a2cf4408eefabdf0058bdf95e1a, da9f3025d595956410ceaab2bea01980d7775948, and e8821f45612f2e6d9adb9c6ba0fb4184f57692aa, available via git.kernel.org. Security practitioners should update affected Linux kernels to incorporate these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54816
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bfq: Update cgroup information before merging bio When the process is migrated to a different cgroup (or in case of writeback just starts submitting bios associated with a different cgroup)…
more
bfq_merge_bio() can operate with stale cgroup information in bic. Thus the bio can be merged to a request from a different cgroup or it can result in merging of bfqqs for different cgroups or bfqqs of already dead cgroups and causing possible use-after-free issues. Fix the problem by updating cgroup information in bfq_merge_bio().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in BFQ I/O scheduler directly enables privilege escalation via memory corruption from a low-privileged process.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of kernel flaws like this use-after-free in BFQ's bfq_merge_bio() by applying patches that update stale cgroup information before bio merging.
Requires vulnerability scanning to identify affected Linux kernel versions vulnerable to stale cgroup data in BFQ, enabling patching before local exploitation.
Implements memory protections such as non-executable regions and address randomization that hinder exploitation of the use-after-free triggered by improper bio or queue merging across cgroups.