{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: block, bfq: fix possible uaf for 'bfqq->bic'",
    "id" : "2401551",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401551"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-826",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblock, bfq: fix possible uaf for 'bfqq->bic'\nOur test report a uaf for 'bfqq->bic' in 5.10:\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\nbfq_select_queue+0x378/0xa30\nbfq_dispatch_request+0xe8/0x130\nblk_mq_do_dispatch_sched+0x62/0xb0\n__blk_mq_sched_dispatch_requests+0x215/0x2a0\nblk_mq_sched_dispatch_requests+0x8f/0xd0\n__blk_mq_run_hw_queue+0x98/0x180\n__blk_mq_delay_run_hw_queue+0x22b/0x240\nblk_mq_run_hw_queue+0xe3/0x190\nblk_mq_sched_insert_requests+0x107/0x200\nblk_mq_flush_plug_list+0x26e/0x3c0\nblk_finish_plug+0x63/0x90\n__iomap_dio_rw+0x7b5/0x910\niomap_dio_rw+0x36/0x80\next4_dio_read_iter+0x146/0x190 [ext4]\next4_file_read_iter+0x1e2/0x230 [ext4]\nnew_sync_read+0x29f/0x400\nvfs_read+0x24e/0x2d0\nksys_read+0xd5/0x1b0\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x61/0xc6\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n1) Initial state, two process with io in the same cgroup.\nProcess 1       Process 2\n(BIC1)          (BIC2)\n|  Λ            |  Λ\n|  |            |  |\nV  |            V  |\nbfqq1           bfqq2\n2) bfqq1 is merged to bfqq2.\nProcess 1       Process 2\n(BIC1)          (BIC2)\n|               |\n\\-------------\\|\nV\nbfqq1           bfqq2(coop)\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n(BIC2)\n|  Λ\n|  |\nV  |\nbfqq2(coop)\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\nProcess 2\n(BIC2)\nΛ\n|\\--------------\\\n|                V\nbfqq2           bfqq3\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\nFix the problem by clearing bfqq->bic while bfqq is detached from bic." ],
  "statement" : "On Red Hat Enterprise Linux 9, regular (non-root) users cannot exploit this vulnerability. This is due to the following:\n1) By default, SELinux actively enforces policies in targeted mode, meaning that even if base permissions allow cgroup manipulation, unprivileged cgroup manipulation will be prevented. \n2) By default, systemd does not delegate cgroup control to user processes, meaning that user sessions and services cannot create or manage their own cgroup hierarchies.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50488\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50488\nhttps://lore.kernel.org/linux-cve-announce/2025100413-CVE-2022-50488-32e8@gregkh/T" ],
  "name" : "CVE-2022-50488",
  "csaw" : false
}