CVE-2022-49411 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2022-49411?

CVE-2022-49411 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler allows attackers to cause kernel crashes or potentially execute arbitrary code with kernel privileges. This affects Linux systems using the BFQ scheduler, primarily those with cgroup configurations. Attackers need local access to exploit this vulnerability.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler allows attackers to cause kernel crashes or potentially execute arbitrary code with kernel privileges. This affects Linux systems using the BFQ scheduler, primarily those with cgroup configurations. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel with BFQ I/O scheduler enabled

Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if BFQ scheduler is enabled and cgroups are used. Many distributions don't enable BFQ by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash or potential privilege escalation to kernel-level code execution, enabling complete system compromise.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting system availability.

🟢

If Mitigated

Limited impact if proper access controls prevent local user exploitation and systems are isolated.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable via network.

🏢 Internal Only: MEDIUM - Local users or compromised accounts could exploit this to cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of cgroup manipulation. No public exploits known as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel versions containing the fix commits (e.g., 5.15.90+, 5.19.17+, 6.0.15+, 6.1.1+)

Vendor Advisory: https://git.kernel.org/stable/c/075a53b78b815301f8d3dd1ee2cd99554e34f0dd

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable BFQ scheduler

Linux

Switch to a different I/O scheduler to avoid the vulnerable code path

echo deadline > /sys/block/[device]/queue/scheduler
echo noop > /sys/block/[device]/queue/scheduler

Restrict cgroup access

Linux

Limit which users can create/manipulate cgroups to reduce attack surface

chmod 750 /sys/fs/cgroup
setfacl -m u:user:rx /sys/fs/cgroup

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized local users from accessing the system
Monitor system logs for kernel panic or crash events and implement redundancy for critical systems

🔍 How to Verify

Check if Vulnerable:

Check if BFQ scheduler is active: cat /sys/block/[device]/queue/scheduler | grep -i bfq

Check Version:

uname -r

Verify Fix Applied:

Check kernel version is patched: uname -r and verify against distribution security advisories

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
System crash/reboot events
OOM killer activity related to BFQ

Network Indicators:

None - local exploitation only

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "general protection fault") AND ("bfq" OR "cgroup")

📊 Metadata

CVE ID: CVE-2022-49411

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: February 26, 2025

Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49411, you might also want to check these: