CVE-2022-49176: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49176 is a use-after-free vulnerability discovered in the Linux kernel's BFQ I/O scheduler component. The vulnerability was disclosed on February 26, 2025, affecting the bfqdispatchrequest function in the Linux kernel's block I/O subsystem. The issue occurs when accessing a previously freed bfq_queue object during request dispatching (NVD, Kernel Git).

The vulnerability manifests as a use-after-free condition in the bfqdispatchrequest function. When processing I/O requests, the function attempts to access the flags value from an inservqueue pointer that has already been freed through a chain of function calls including bfqselectqueue, bfqbfqqexpire, _bfqbfqdresetinservice, and bfqput_queue. The KASAN (Kernel Address Sanitizer) detected unauthorized access of an 8-byte read at a freed memory location (Kernel Git). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to memory corruption and potential system crashes when the BFQ I/O scheduler is in use. Since it involves kernel memory management, successful exploitation could potentially result in privilege escalation or system instability (NVD).

The vulnerability has been patched by adding a check to verify if inservqueue equals bfqd->inservicequeue before accessing the queue's flags. The fix also includes modifying the bfqupdatedispatch_stats call to prevent use-after-free scenarios (Kernel Git).