CVE-2022-50488 (GCVE-0-2022-50488)

Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2026-05-11 19:20
VLAI?
Title
block, bfq: fix possible uaf for 'bfqq->bic'
Summary
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible uaf for 'bfqq->bic' Our test report a uaf for 'bfqq->bic' in 5.10: ================================================================== BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 Call Trace: bfq_select_queue+0x378/0xa30 bfq_dispatch_request+0xe8/0x130 blk_mq_do_dispatch_sched+0x62/0xb0 __blk_mq_sched_dispatch_requests+0x215/0x2a0 blk_mq_sched_dispatch_requests+0x8f/0xd0 __blk_mq_run_hw_queue+0x98/0x180 __blk_mq_delay_run_hw_queue+0x22b/0x240 blk_mq_run_hw_queue+0xe3/0x190 blk_mq_sched_insert_requests+0x107/0x200 blk_mq_flush_plug_list+0x26e/0x3c0 blk_finish_plug+0x63/0x90 __iomap_dio_rw+0x7b5/0x910 iomap_dio_rw+0x36/0x80 ext4_dio_read_iter+0x146/0x190 [ext4] ext4_file_read_iter+0x1e2/0x230 [ext4] new_sync_read+0x29f/0x400 vfs_read+0x24e/0x2d0 ksys_read+0xd5/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic: 1) Initial state, two process with io in the same cgroup. Process 1 Process 2 (BIC1) (BIC2) | Λ | Λ | | | | V | V | bfqq1 bfqq2 2) bfqq1 is merged to bfqq2. Process 1 Process 2 (BIC1) (BIC2) | | \-------------\| V bfqq1 bfqq2(coop) 3) Process 1 exit, then issue new io(denoce IOA) from Process 2. (BIC2) | Λ | | V | bfqq2(coop) 4) Before IOA is completed, move Process 2 to another cgroup and issue io. Process 2 (BIC2) Λ |\--------------\ | V bfqq2 bfqq3 Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2. Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4dfc12f8c94c8052e975060f595938f75e8b7165 , < 5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a (git)
Affected: 81b7d0c717a487ec50e2924a773ff501ee40f0d5 , < 094f3d9314d67691cb21ba091c1b528f6e3c4893 (git)
Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < b22fd72bfebda3956efc4431b60ddfc0a51e03e0 (git)
Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < 761564d93c8265f65543acf0a576b32d66bfa26a (git)
Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < 64dc8c732f5c2b406cc752e6aaa1bd5471159cab (git)
Affected: 31326bf551269fb9bafa84ca99172b8340e5d8f8 (git)
Affected: 43c51b86dbe551cff5d39b88aa2f41d29479f9c4 (git)
Affected: 8615f6c0c9e7cf0ca90b6b5408784d797cbe5621 (git)
Create a notification for this product.
Linux Linux Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 5.10.175 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
              "status": "affected",
              "version": "4dfc12f8c94c8052e975060f595938f75e8b7165",
              "versionType": "git"
            },
            {
              "lessThan": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
              "status": "affected",
              "version": "81b7d0c717a487ec50e2924a773ff501ee40f0d5",
              "versionType": "git"
            },
            {
              "lessThan": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
              "status": "affected",
              "version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
              "versionType": "git"
            },
            {
              "lessThan": "761564d93c8265f65543acf0a576b32d66bfa26a",
              "status": "affected",
              "version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
              "versionType": "git"
            },
            {
              "lessThan": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
              "status": "affected",
              "version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31326bf551269fb9bafa84ca99172b8340e5d8f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "43c51b86dbe551cff5d39b88aa2f41d29479f9c4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8615f6c0c9e7cf0ca90b6b5408784d797cbe5621",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.175",
                  "versionStartIncluding": "5.10.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "5.15.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.198",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\n\nOur test report a uaf for \u0027bfqq-\u003ebic\u0027 in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1       Process 2\n (BIC1)          (BIC2)\n  |  \u039b            |  \u039b\n  |  |            |  |\n  V  |            V  |\n  bfqq1           bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1       Process 2\n (BIC1)          (BIC2)\n  |               |\n   \\-------------\\|\n                  V\n  bfqq1           bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n  |  \u039b\n  |  |\n  V  |\n  bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n   \u039b\n   |\\--------------\\\n   |                V\n  bfqq2           bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq-\u003ebic while bfqq is detached from bic."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:20:26.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"
        },
        {
          "url": "https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"
        },
        {
          "url": "https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"
        },
        {
          "url": "https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"
        }
      ],
      "title": "block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50488",
    "datePublished": "2025-10-04T15:43:42.352Z",
    "dateReserved": "2025-10-04T15:13:33.468Z",
    "dateUpdated": "2026-05-11T19:20:26.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-50488",
      "date": "2026-05-22",
      "epss": "0.00017",
      "percentile": "0.04543"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50488\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-04T16:15:45.707\",\"lastModified\":\"2026-03-25T00:30:57.577\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\\n\\nOur test report a uaf for \u0027bfqq-\u003ebic\u0027 in 5.10:\\n\\n==================================================================\\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\\n\\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\\nCall Trace:\\n bfq_select_queue+0x378/0xa30\\n bfq_dispatch_request+0xe8/0x130\\n blk_mq_do_dispatch_sched+0x62/0xb0\\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\\n blk_mq_sched_dispatch_requests+0x8f/0xd0\\n __blk_mq_run_hw_queue+0x98/0x180\\n __blk_mq_delay_run_hw_queue+0x22b/0x240\\n blk_mq_run_hw_queue+0xe3/0x190\\n blk_mq_sched_insert_requests+0x107/0x200\\n blk_mq_flush_plug_list+0x26e/0x3c0\\n blk_finish_plug+0x63/0x90\\n __iomap_dio_rw+0x7b5/0x910\\n iomap_dio_rw+0x36/0x80\\n ext4_dio_read_iter+0x146/0x190 [ext4]\\n ext4_file_read_iter+0x1e2/0x230 [ext4]\\n new_sync_read+0x29f/0x400\\n vfs_read+0x24e/0x2d0\\n ksys_read+0xd5/0x1b0\\n do_syscall_64+0x33/0x40\\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\\n\\nCommit 3bc5e683c67d (\\\"bfq: Split shared queues on move between cgroups\\\")\\nchanges that move process to a new cgroup will allocate a new bfqq to\\nuse, however, the old bfqq and new bfqq can point to the same bic:\\n\\n1) Initial state, two process with io in the same cgroup.\\n\\nProcess 1       Process 2\\n (BIC1)          (BIC2)\\n  |  \u039b            |  \u039b\\n  |  |            |  |\\n  V  |            V  |\\n  bfqq1           bfqq2\\n\\n2) bfqq1 is merged to bfqq2.\\n\\nProcess 1       Process 2\\n (BIC1)          (BIC2)\\n  |               |\\n   \\\\-------------\\\\|\\n                  V\\n  bfqq1           bfqq2(coop)\\n\\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\\n\\n (BIC2)\\n  |  \u039b\\n  |  |\\n  V  |\\n  bfqq2(coop)\\n\\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\\n\\nProcess 2\\n (BIC2)\\n   \u039b\\n   |\\\\--------------\\\\\\n   |                V\\n  bfqq2           bfqq3\\n\\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\\nIf all the requests are completed, and Process 2 exit, BIC2 will be\\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\\n\\nFix the problem by clearing bfqq-\u003ebic while bfqq is detached from bic.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.198\",\"versionEndExcluding\":\"5.5\",\"matchCriteriaId\":\"81CDA30E-0E3B-47FD-A824-FDDFD9CA4E3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.121\",\"versionEndExcluding\":\"5.10.175\",\"matchCriteriaId\":\"EE96C02B-0E0C-4E77-AAE6-4628568068A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.46\",\"versionEndExcluding\":\"5.15.86\",\"matchCriteriaId\":\"491345B8-FB6A-428B-9FBF-F040E1C45FF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17.14\",\"versionEndExcluding\":\"5.18\",\"matchCriteriaId\":\"53441672-E856-4C9B-92DD-20B8133BE921\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.18.3\",\"versionEndExcluding\":\"6.0.16\",\"matchCriteriaId\":\"A4D8B69F-9B92-4C7C-8014-D16B7A22B0AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1\",\"versionEndExcluding\":\"6.1.2\",\"matchCriteriaId\":\"77239F4B-6BB2-4B9E-A654-36A52396116C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.