CVE-2022-49090 – A race condition in the Linux kernel's ARM64 ar... (How to Fix)

Q: What is the severity of CVE-2022-49090?

CVE-2022-49090 has a CVSS score of 5.5 (MEDIUM). A race condition in the Linux kernel's ARM64 architecture prevents proper core scheduling topology initialization, causing incorrect CPU mask setup. This leads to kernel NULL pointer dereferences and system crashes when core scheduling is enabled. Affects Linux systems with ARM64 CPUs running vulnerable kernel versions.

📋 TL;DR

A race condition in the Linux kernel's ARM64 architecture prevents proper core scheduling topology initialization, causing incorrect CPU mask setup. This leads to kernel NULL pointer dereferences and system crashes when core scheduling is enabled. Affects Linux systems with ARM64 CPUs running vulnerable kernel versions.

💻 Affected Systems

Products:

Linux Kernel

Versions: Specific vulnerable versions not explicitly stated in CVE, but patches exist in stable kernel trees. Likely affects multiple kernel versions before fixes were backported.

Operating Systems: Linux distributions with ARM64 support

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when core scheduling is enabled and running on ARM64 architecture. Most systems don't enable core scheduling by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic and system crash leading to denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash when applications using core scheduling (like stress-ng with PR_SCHED_CORE) are executed, resulting in denial of service.

🟢

If Mitigated

No impact if core scheduling is disabled or system is patched.

🌐 Internet-Facing: LOW - Requires local access and specific conditions to trigger.

🏢 Internal Only: MEDIUM - Local users or processes can crash the system, affecting shared infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to run applications that enable core scheduling. The vulnerability is triggered by design rather than malicious exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with fixes: 5524cbb1bfcdff0cad0aaa9f94e6092002a07259, 790c1567582bda8f1153015436e3330a7c6eb278, 87f5d66daa5f457449bb95d6b8d18bb7596aa627, c78a1b2d0bff678570c8dc9f14035606f5e5257d

Vendor Advisory: https://git.kernel.org/stable/c/5524cbb1bfcdff0cad0aaa9f94e6092002a07259

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable Core Scheduling

linux

Prevent triggering the vulnerability by disabling core scheduling feature

echo 0 > /sys/kernel/debug/sched/core_sched_enabled

Restrict PR_SCHED_CORE Usage

linux

Use kernel capabilities or SELinux to restrict applications from using PR_SCHED_CORE prctl

setcap -r /path/to/application
Or configure SELinux/AppArmor policies

🧯 If You Can't Patch

Disable core scheduling system-wide via kernel command line or sysfs
Implement strict access controls to prevent unauthorized users from running applications that enable core scheduling

🔍 How to Verify

Check if Vulnerable:

Check if system is ARM64 and core scheduling is enabled: uname -m && cat /sys/kernel/debug/sched/core_sched_enabled

Check Version:

uname -r

Verify Fix Applied:

Check kernel version against patched releases and verify system stability when running stress-ng with core scheduling tests

📡 Detection & Monitoring

Log Indicators:

Kernel warnings about 'task_rq(b)->core != rq->core'
NULL pointer dereference crashes in scheduler code
System crashes when running applications with PR_SCHED_CORE

Network Indicators:

None - purely local vulnerability

SIEM Query:

source="kernel" AND ("task_rq(b)->core != rq->core" OR "sched_core_cpu_starting" OR "core scheduling")

📊 Metadata

CVE ID: CVE-2022-49090

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: February 26, 2025

Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49090, you might also want to check these: