{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50488", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-04T15:13:33.468Z", "datePublished": "2025-10-04T15:43:42.352Z", "dateUpdated": "2026-05-11T19:20:26.632Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:20:26.632Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for 'bfqq->bic'\n\nOur test report a uaf for 'bfqq->bic' in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | \u039b | \u039b\n | | | |\n V | V |\n bfqq1 bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | |\n \\-------------\\|\n V\n bfqq1 bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n | \u039b\n | |\n V |\n bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n \u039b\n |\\--------------\\\n | V\n bfqq2 bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq->bic while bfqq is detached from bic."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c"], "versions": [{"version": "4dfc12f8c94c8052e975060f595938f75e8b7165", "lessThan": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a", "status": "affected", "versionType": "git"}, {"version": "81b7d0c717a487ec50e2924a773ff501ee40f0d5", "lessThan": "094f3d9314d67691cb21ba091c1b528f6e3c4893", "status": "affected", "versionType": "git"}, {"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69", "lessThan": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0", "status": "affected", "versionType": "git"}, {"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69", "lessThan": "761564d93c8265f65543acf0a576b32d66bfa26a", "status": "affected", "versionType": "git"}, {"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69", "lessThan": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab", "status": "affected", "versionType": "git"}, {"version": "31326bf551269fb9bafa84ca99172b8340e5d8f8", "status": "affected", "versionType": "git"}, {"version": "43c51b86dbe551cff5d39b88aa2f41d29479f9c4", "status": "affected", "versionType": "git"}, {"version": "8615f6c0c9e7cf0ca90b6b5408784d797cbe5621", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c"], "versions": [{"version": "5.19", "status": "affected"}, {"version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.175", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.86", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.16", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.2", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.121", "versionEndExcluding": "5.10.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.46", "versionEndExcluding": "5.15.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.0.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.1.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.198"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"}, {"url": "https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"}, {"url": "https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"}, {"url": "https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"}, {"url": "https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"}], "title": "block, bfq: fix possible uaf for 'bfqq->bic'", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "81CDA30E-0E3B-47FD-A824-FDDFD9CA4E3C", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.198", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE96C02B-0E0C-4E77-AAE6-4628568068A7", "versionEndExcluding": "5.10.175", "versionStartIncluding": "5.10.121", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "491345B8-FB6A-428B-9FBF-F040E1C45FF1", "versionEndExcluding": "5.15.86", "versionStartIncluding": "5.15.46", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "53441672-E856-4C9B-92DD-20B8133BE921", "versionEndExcluding": "5.18", "versionStartIncluding": "5.17.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D8B69F-9B92-4C7C-8014-D16B7A22B0AA", "versionEndExcluding": "6.0.16", "versionStartIncluding": "5.18.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C", "versionEndExcluding": "6.1.2", "versionStartIncluding": "6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for 'bfqq->bic'\n\nOur test report a uaf for 'bfqq->bic' in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | \u039b | \u039b\n | | | |\n V | V |\n bfqq1 bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | |\n \\-------------\\|\n V\n bfqq1 bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n | \u039b\n | |\n V |\n bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n \u039b\n |\\--------------\\\n | V\n bfqq2 bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq->bic while bfqq is detached from bic."}], "id": "CVE-2022-50488", "lastModified": "2026-03-25T00:30:57.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-04T16:15:45.707", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: block, bfq: fix possible uaf for 'bfqq->bic'", "id": "2401551", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401551"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblock, bfq: fix possible uaf for 'bfqq->bic'\nOur test report a uaf for 'bfqq->bic' in 5.10:\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\nbfq_select_queue+0x378/0xa30\nbfq_dispatch_request+0xe8/0x130\nblk_mq_do_dispatch_sched+0x62/0xb0\n__blk_mq_sched_dispatch_requests+0x215/0x2a0\nblk_mq_sched_dispatch_requests+0x8f/0xd0\n__blk_mq_run_hw_queue+0x98/0x180\n__blk_mq_delay_run_hw_queue+0x22b/0x240\nblk_mq_run_hw_queue+0xe3/0x190\nblk_mq_sched_insert_requests+0x107/0x200\nblk_mq_flush_plug_list+0x26e/0x3c0\nblk_finish_plug+0x63/0x90\n__iomap_dio_rw+0x7b5/0x910\niomap_dio_rw+0x36/0x80\next4_dio_read_iter+0x146/0x190 [ext4]\next4_file_read_iter+0x1e2/0x230 [ext4]\nnew_sync_read+0x29f/0x400\nvfs_read+0x24e/0x2d0\nksys_read+0xd5/0x1b0\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x61/0xc6\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n1) Initial state, two process with io in the same cgroup.\nProcess 1 Process 2\n(BIC1) (BIC2)\n| \u039b | \u039b\n| | | |\nV | V |\nbfqq1 bfqq2\n2) bfqq1 is merged to bfqq2.\nProcess 1 Process 2\n(BIC1) (BIC2)\n| |\n\\-------------\\|\nV\nbfqq1 bfqq2(coop)\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n(BIC2)\n| \u039b\n| |\nV |\nbfqq2(coop)\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\nProcess 2\n(BIC2)\n\u039b\n|\\--------------\\\n| V\nbfqq2 bfqq3\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\nFix the problem by clearing bfqq->bic while bfqq is detached from bic."], "name": "CVE-2022-50488", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat In-Vehicle Operating System 1"}], "public_date": "2025-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50488\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50488\nhttps://lore.kernel.org/linux-cve-announce/2025100413-CVE-2022-50488-32e8@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-10-06T14:41:33.149627+00:00", "updated": "2025-10-06T14:41:33.149698+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}