CVE-2022-49902 – This CVE describes a memory leak vulnerability ... (How to Fix)

Q: What is the severity of CVE-2022-49902?

CVE-2022-49902 has a CVSS score of 5.5 (MEDIUM). This CVE describes a memory leak vulnerability in the Linux kernel's block subsystem when device_add_disk() fails. The leak occurs because rq_wb memory allocated during writeback throttling initialization isn't properly freed in error paths. This affects Linux systems using block devices with writeback throttling enabled.

📋 TL;DR

This CVE describes a memory leak vulnerability in the Linux kernel's block subsystem when device_add_disk() fails. The leak occurs because rq_wb memory allocated during writeback throttling initialization isn't properly freed in error paths. This affects Linux systems using block devices with writeback throttling enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where writeback throttling is enabled (default in many configurations) and device_add_disk() fails during block device initialization.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained memory exhaustion leading to system instability, denial of service, or kernel panic if repeated failures occur in device initialization.

🟠

Likely Case

Minor memory leak during rare device initialization failures, unlikely to cause noticeable impact in most environments.

🟢

If Mitigated

No impact - memory is properly freed during normal operation or error handling.

🌐 Internet-Facing: LOW - Requires local access to trigger device initialization failures.

🏢 Internal Only: LOW - Requires privileged access to load/modify block devices and trigger specific failure conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires triggering specific error conditions in kernel device initialization, typically requiring privileged access and specific hardware/configuration conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 4e68c5da60cd, 528677d3b4af, or fa81cbafbf57

Vendor Advisory: https://git.kernel.org/stable/c/4e68c5da60cd79950bd56287ae80b39d6261f995

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable writeback throttling

linux

Disable writeback throttling feature to prevent memory allocation in vulnerable code path

echo 0 > /sys/block/<device>/queue/wbt_lat_usec

🧯 If You Can't Patch

Monitor system memory usage for unusual leaks during device operations
Avoid loading/unloading block device drivers that might trigger the failure condition

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with distribution's patched version list. Use 'uname -r' and check if version is before the fix.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update contains fix commits or is newer than vulnerable versions. Check with 'uname -r' and distribution security advisories.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
kmemleak reports of memory leaks in device_add_disk() or wbt_init()
System logs showing device initialization failures

Network Indicators:

None - local vulnerability only

SIEM Query:

Search for kernel panic logs, memory allocation failures, or device initialization errors in system logs

📊 Metadata

CVE ID: CVE-2022-49902

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.02% exploit probability (4.1th percentile)

Published: May 1, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49902, you might also want to check these: