CVE-2022-49675: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability was discovered in the tick/nohz component where the init-annotated ticknohzfullsetup() function was incorrectly exported. The issue was identified in June 2022 and affects the Linux kernel's timing subsystem. The vulnerability occurs because EXPORTSYMBOL and init is an unsafe combination, as the .init.text section is freed after initialization, making it impossible for modules to safely use __init annotated symbols (Kernel Git).

The vulnerability stems from a combination of EXPORTSYMBOL and _init annotations in the kernel code. When a symbol is annotated with _init, its code resides in the .init.text section, which is freed after system initialization. However, the ticknohzfullsetup() function was also exported using EXPORTSYMBOLGPL, allowing modules to access it even after the memory section was freed. This could lead to accessing freed memory, potentially resulting in a kernel panic (Debian Tracker).

If exploited, this vulnerability could lead to a kernel panic when a module attempts to access the freed ticknohzfull_setup() function. This would result in system instability and potential denial of service conditions (Debian Tracker).

The issue has been fixed by removing the EXPORTSYMBOLGPL of ticknohzfull_setup() since the function is only called from built-in code in kernel/sched/isolation.c. This fix has been implemented in various Linux distributions including Debian's bullseye (5.10.234-1) and bookworm (6.1.129-1) releases (Debian Tracker).