Cyber Resilience

CVE-2022-49694

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49694 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49694 is a use-after-free vulnerability (CWE-416) in the Linux kernel's block layer, specifically affecting the elevator interface during disk teardown operations. The issue arises because the elevator disabling and scheduler tag freeing occur in disk_release and blk_cleanup_queue, potentially leading to a use-after-free of q->tag_set when it is no longer valid. This is resolved by moving these operations, along with blk_qos_exit, to the end of del_gendisk to ensure they happen after filesystem requests are stopped and the queue is properly frozen.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), in a local attack vector (AV:L) with unchanged scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 7.8 (CVSS:3.1), potentially allowing arbitrary code execution or system crashes during block device removal.

The provided patch references detail the mitigation: commit 50e34d78815e474d410f342fbe783b18192ca518 and commit f28699fafc047ec33299da01e928c3a0073c5cc6 in the Linux kernel stable tree move the elevator exit, tag_set freeing, and blk_qos_exit to del_gendisk, preventing the use-after-free by ensuring these steps occur after queue freeze and filesystem request cessation. Security practitioners should apply these stable kernel updates to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: block: disable the elevator int del_gendisk The elevator is only used for file system requests, which are stopped in del_gendisk. Move disabling the elevator and freeing the scheduler tags to…

more

the end of del_gendisk instead of doing that work in disk_release and blk_cleanup_queue to avoid a use after free on q->tag_set from disk_release as the tag_set might not be alive at that point. Move the blk_qos_exit call as well, as it just depends on the elevator exit and would be the only reason to keep the not exactly cheap queue freeze in disk_release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in block layer directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 5.16 — 5.18.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and patching of flaws like the use-after-free in the Linux kernel block layer elevator during disk teardown.

detect

Requires vulnerability scanning and monitoring to identify systems running kernel versions affected by CVE-2022-49694.

prevent

Provides memory protections such as DEP and ASLR that mitigate exploitation of the use-after-free vulnerability by preventing unauthorized code execution.

References