CVE-2022-49413: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49413 is a vulnerability in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler that was discovered and disclosed in February 2025. The vulnerability affects the cgroup information handling in the bfqmergebio() function. When a process is migrated to a different cgroup, or during writeback operations that submit bios associated with a different cgroup, the function can operate with stale cgroup information (NVD).

The vulnerability occurs in the Linux kernel's block I/O scheduling subsystem, specifically in the BFQ scheduler's bio merging functionality. The issue arises when bfqmergebio() operates with outdated cgroup information in the bic (Block I/O Controller) structure. This can lead to incorrect merging of requests from different cgroups or interaction with already deallocated cgroup structures. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

The vulnerability can result in bio merging with requests from incorrect cgroups and potential merging of bfqqs (BFQ Queue Sets) belonging to different or already deallocated cgroups. This can lead to use-after-free issues, which could potentially result in system crashes or memory corruption (Kernel Commit).

The vulnerability has been fixed by updating the cgroup information in bfqmergebio() before performing any merge operations. The fix involves calling bfqbicupdate_cgroup() to ensure current cgroup information is used. The patch has been merged into the Linux kernel and is being backported to various stable kernel versions (Kernel Commit).