CVE-2022-50550 – A memory leak vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2022-50550?

CVE-2022-50550 has a CVSS score of 5.5 (MEDIUM). A memory leak vulnerability in the Linux kernel's blk-iolatency subsystem occurs when disk initialization fails after blkcg_init_disk() is called but before add_disk() completes. This affects Linux systems using the blk-iolatency IO controller with specific disk initialization failures, potentially leading to resource exhaustion.

📋 TL;DR

A memory leak vulnerability in the Linux kernel's blk-iolatency subsystem occurs when disk initialization fails after blkcg_init_disk() is called but before add_disk() completes. This affects Linux systems using the blk-iolatency IO controller with specific disk initialization failures, potentially leading to resource exhaustion.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with blk-iolatency support (introduced in v5.4) up to patched versions

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using blk-iolatency IO controller and experiencing specific disk initialization failures.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Repeated triggering could exhaust kernel memory, causing system instability, denial of service, or kernel panic.

🟠

Likely Case

Memory leak during rare disk initialization failures, with minimal impact on stable systems.

🟢

If Mitigated

No impact if patched or if disk initialization never fails after blkcg_init_disk() is called.

🌐 Internet-Facing: LOW - Requires local access or specific disk initialization failures.

🏢 Internal Only: LOW - Requires local access and specific error conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires triggering specific error conditions during disk initialization with blk-iolatency enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 215f9437dda09531bcb80605298a24219f01cec5, 2a126e1db5553ce4498290df019866952f858954, or 813e693023ba10da9e75067780f8378465bf27cc

Vendor Advisory: https://git.kernel.org/stable/c/215f9437dda09531bcb80605298a24219f01cec5

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable blk-iolatency

linux

Disable the blk-iolatency IO controller if not required

echo 0 > /sys/block/<device>/queue/iosched/iolatency_enable

🧯 If You Can't Patch

Monitor system memory usage for unusual increases during disk operations
Avoid creating loop devices or disks with invalid configurations that could trigger the failure condition

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if blk-iolatency is enabled on any block devices

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits and test disk initialization scenarios

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
Memory allocation failures in kernel logs
Disk initialization error messages

SIEM Query:

source="kernel" AND ("memory leak" OR "blk-iolatency" OR "add_disk failed")

📊 Metadata

CVE ID: CVE-2022-50550

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: October 7, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50550, you might also want to check these: