CVE-2022-49492: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49492 is a vulnerability in the Linux kernel's NVMe-PCI driver that was discovered and disclosed in February 2025. The vulnerability involves a NULL pointer dereference in the nvmeallocadmin_tags function, affecting various Linux distributions and their kernel versions (Ubuntu Security, RedHat Security).

The vulnerability occurs in the nvmeallocadmintags function where adminq can be set to an error (typically -ENOMEM) if the blkmqinitqueue call fails to set up the queue. When returning the error message up the stack to nvmeresetwork, the error path leads to nvmeremovedeadctrl() nvmedevdisable() nvmesuspendqueue(&dev->queues[0]). The code only checks that admin_q is non-NULL, rather than checking for both error and NULL conditions, resulting in an attempt to quiesce a queue that never existed, leading to a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) (RedHat Security).

The vulnerability can lead to a system crash due to NULL pointer dereference when the NVMe driver fails to allocate admin queue tags. This primarily affects systems using NVMe storage devices and could potentially be triggered during system operation, impacting system stability (Kernel Git).

A patch has been developed and merged into the Linux kernel that properly handles the error case by setting dev->ctrl.admin_q to NULL before returning the error. Various Linux distributions have either patched or are in the process of patching their affected kernel versions. Ubuntu has fixed the issue in version 4.15.0-192.203 for 18.04 LTS (bionic) and other versions are being updated (Ubuntu Security).