CVE-2022-50329 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq

Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.

Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/1425f1bb5df5239021fd09ebc2a5e8070e705d36
https://git.kernel.org/stable/c/1ed959fef5b1c6f1a7a3fbea543698c30ebd6678
https://git.kernel.org/stable/c/246cf66e300b76099b5dbd3fdd39e9a5dbc53f02
https://git.kernel.org/stable/c/7949b0df3dd9f4817ed4a4e989fa9ee81df6205f
https://git.kernel.org/stable/c/cfe5b38c37720313eff0dec5517442c7ab3c9a20

History

Mon, 15 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
Title		block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
References		https://git.kernel.org/stable/c/1425f1bb5df5239021fd09ebc2a5e8070e705d36 https://git.kernel.org/stable/c/1ed959fef5b1c6f1a7a3fbea543698c30ebd6678 https://git.kernel.org/stable/c/246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 https://git.kernel.org/stable/c/7949b0df3dd9f4817ed4a4e989fa9ee81df6205f https://git.kernel.org/stable/c/cfe5b38c37720313eff0dec5517442c7ab3c9a20

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-09-15T14:49:32.123Z

Updated: 2025-09-15T14:49:32.123Z

Reserved: 2025-09-15T14:18:36.815Z

Link: CVE-2022-50329

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-09-15T15:15:45.067

Modified: 2025-09-15T15:22:27.090

Link: CVE-2022-50329

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50329", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T14:18:36.815Z", "datePublished": "2025-09-15T14:49:32.123Z", "dateUpdated": "2025-09-15T14:49:32.123Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:49:32.123Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq\n\nCommit 64dc8c732f5c (\"block, bfq: fix possible uaf for 'bfqq->bic'\")\nwill access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()\ncan free bfqq first, and then call bic_set_bfqq(), which will cause uaf.\n\nFix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c"], "versions": [{"version": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a", "lessThan": "1425f1bb5df5239021fd09ebc2a5e8070e705d36", "status": "affected", "versionType": "git"}, {"version": "094f3d9314d67691cb21ba091c1b528f6e3c4893", "lessThan": "7949b0df3dd9f4817ed4a4e989fa9ee81df6205f", "status": "affected", "versionType": "git"}, {"version": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0", "lessThan": "cfe5b38c37720313eff0dec5517442c7ab3c9a20", "status": "affected", "versionType": "git"}, {"version": "761564d93c8265f65543acf0a576b32d66bfa26a", "lessThan": "1ed959fef5b1c6f1a7a3fbea543698c30ebd6678", "status": "affected", "versionType": "git"}, {"version": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab", "lessThan": "246cf66e300b76099b5dbd3fdd39e9a5dbc53f02", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c"], "versions": [{"version": "5.15.86", "lessThan": "5.15.87", "status": "affected", "versionType": "semver"}, {"version": "6.0.16", "lessThan": "6.0.17", "status": "affected", "versionType": "semver"}, {"version": "6.1.2", "lessThan": "6.1.3", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.86", "versionEndExcluding": "5.15.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.16", "versionEndExcluding": "6.0.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.2", "versionEndExcluding": "6.1.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1425f1bb5df5239021fd09ebc2a5e8070e705d36"}, {"url": "https://git.kernel.org/stable/c/7949b0df3dd9f4817ed4a4e989fa9ee81df6205f"}, {"url": "https://git.kernel.org/stable/c/cfe5b38c37720313eff0dec5517442c7ab3c9a20"}, {"url": "https://git.kernel.org/stable/c/1ed959fef5b1c6f1a7a3fbea543698c30ebd6678"}, {"url": "https://git.kernel.org/stable/c/246cf66e300b76099b5dbd3fdd39e9a5dbc53f02"}], "title": "block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq", "x_generator": {"engine": "bippy-1.2.0"}}}}