CVE-2022-49720: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49720 is a vulnerability in the Linux kernel that was discovered in the block subsystem, specifically related to the handling of offline queues in the blkmqallocrequesthctx() function. The vulnerability was disclosed on February 26, 2025, affecting multiple versions of the Linux kernel from version 4.16 through 5.19 (NVD).

The vulnerability manifests as an array-index-out-of-bounds issue in block/blk-mq.h:135:9, where an index of 512 exceeds the bounds of a 'long unsigned int [512]' array. This occurs during the handling of offline queues in the blkmqallocrequesthctx() function. The issue was traced to a bug introduced by commit 20e4d8139319 titled 'blk-mq: simplify queue mapping & schedule with each possible CPU' (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to system instability or potential security issues when handling block device requests, particularly affecting NVMe storage devices. The bug is triggered during NVMe operations, specifically during the creation and connection of I/O queues, which could potentially affect system stability and data handling (Kernel Patch).

The vulnerability has been fixed through a patch that adds additional checks for CPU IDs in the blkmqallocrequesthctx() function. The fix has been reviewed by Christoph Hellwig and Ming Lei, and has been incorporated into various Linux kernel versions. Users are advised to update their Linux kernel to a patched version (Kernel Patch).