CVE-2022-48921: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48921 affects the Linux kernel's scheduler component, specifically in the reweightentity function. The vulnerability was discovered by Syzbot and was introduced by commit 4ef0c5c6b5ba. The issue involves a race condition between schedpostfork() and setpriority(PRIOPGRP) within a thread group that can lead to a null pointer dereference in the CFS (Completely Fair Scheduler) (NVD).

The vulnerability occurs when a main process spawns new threads that call setpriority(PRIOPGRP, 0, -20). During thread creation, copyprocess() is invoked to add the new taskstruct and call schedpostfork(). A race condition exists where setpriority(PRIOPGRP) and setoneprio() might be called for a thread that is still being created by copyprocess(), before schedpostfork() execution. This leads to a null pointer dereference in reweightentity() when attempting to access an uninitialized run queue pointer. The vulnerability has a CVSS v3.1 Base Score of 4.7 MEDIUM (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability can result in a null pointer dereference, potentially causing a kernel crash and system denial of service when exploited (NVD).

The issue has been fixed by removing the updateload parameter from the updateload param() function and modifying reweighttask() to only execute when the task flag doesn't have the TASKNEW flag set. The fix is implemented in kernel patch 13765de8148f71fa795e0a6607de37c49ea5915a (Kernel Patch).