CVE-2022-49114: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49114 is a use-after-free vulnerability discovered in the Linux kernel's SCSI libfc subsystem, specifically in the fc_exch_abts_resp() function. The vulnerability was reported and resolved in February 2025, affecting various Linux kernel versions. The issue occurs when fc_exch_release(ep) decreases the reference count of an object, potentially freeing it, while the code continues to use the object afterward (NVD).

The vulnerability exists in the Linux kernel's SCSI libfc driver, specifically in the fc_exch_abts_resp() function. The technical issue involves a use-after-free condition where fc_exch_release(ep) decreases the reference count of an object, and when the count reaches zero, the object is freed. However, the subsequent code continues to use the freed object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, RedHat).

The vulnerability could lead to system instability or potential privilege escalation due to the use-after-free condition in the kernel's SCSI subsystem. When exploited, it could allow an attacker with local access to cause a denial of service or potentially execute arbitrary code with elevated privileges (RedHat).

The vulnerability has been fixed by adding a return statement after the fc_exch_release(ep) call to prevent the use-after-free condition. The fix has been implemented in various Linux kernel versions, and affected systems should be updated to the patched versions. The fix is documented in the kernel commit 271add11994ba1a334859069367e04d2be2ebdd4 (Kernel Commit).