{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T02:53:56.947","vulnerabilities":[{"cve":{"id":"CVE-2022-49179","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:00:55.037","lastModified":"2025-03-25T15:07:03.630","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: don't move oom_bfqq\n\nOur test report a UAF:\n\n[ 2073.019181] ==================================================================\n[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584\n[ 2073.019192]\n[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5\n[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 2073.019200] Call trace:\n[ 2073.019203]  dump_backtrace+0x0/0x310\n[ 2073.019206]  show_stack+0x28/0x38\n[ 2073.019210]  dump_stack+0xec/0x15c\n[ 2073.019216]  print_address_description+0x68/0x2d0\n[ 2073.019220]  kasan_report+0x238/0x2f0\n[ 2073.019224]  __asan_store8+0x88/0xb0\n[ 2073.019229]  __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019233]  bfq_put_async_queues+0xbc/0x208\n[ 2073.019236]  bfq_pd_offline+0x178/0x238\n[ 2073.019240]  blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019244]  bfq_exit_queue+0x128/0x178\n[ 2073.019249]  blk_mq_exit_sched+0x12c/0x160\n[ 2073.019252]  elevator_exit+0xc8/0xd0\n[ 2073.019256]  blk_exit_queue+0x50/0x88\n[ 2073.019259]  blk_cleanup_queue+0x228/0x3d8\n[ 2073.019267]  null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019274]  null_exit+0x90/0x114 [null_blk]\n[ 2073.019278]  __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019282]  el0_svc_common+0xc8/0x320\n[ 2073.019287]  el0_svc_handler+0xf8/0x160\n[ 2073.019290]  el0_svc+0x10/0x218\n[ 2073.019291]\n[ 2073.019294] Allocated by task 14163:\n[ 2073.019301]  kasan_kmalloc+0xe0/0x190\n[ 2073.019305]  kmem_cache_alloc_node_trace+0x1cc/0x418\n[ 2073.019308]  bfq_pd_alloc+0x54/0x118\n[ 2073.019313]  blkcg_activate_policy+0x250/0x460\n[ 2073.019317]  bfq_create_group_hierarchy+0x38/0x110\n[ 2073.019321]  bfq_init_queue+0x6d0/0x948\n[ 2073.019325]  blk_mq_init_sched+0x1d8/0x390\n[ 2073.019330]  elevator_switch_mq+0x88/0x170\n[ 2073.019334]  elevator_switch+0x140/0x270\n[ 2073.019338]  elv_iosched_store+0x1a4/0x2a0\n[ 2073.019342]  queue_attr_store+0x90/0xe0\n[ 2073.019348]  sysfs_kf_write+0xa8/0xe8\n[ 2073.019351]  kernfs_fop_write+0x1f8/0x378\n[ 2073.019359]  __vfs_write+0xe0/0x360\n[ 2073.019363]  vfs_write+0xf0/0x270\n[ 2073.019367]  ksys_write+0xdc/0x1b8\n[ 2073.019371]  __arm64_sys_write+0x50/0x60\n[ 2073.019375]  el0_svc_common+0xc8/0x320\n[ 2073.019380]  el0_svc_handler+0xf8/0x160\n[ 2073.019383]  el0_svc+0x10/0x218\n[ 2073.019385]\n[ 2073.019387] Freed by task 72584:\n[ 2073.019391]  __kasan_slab_free+0x120/0x228\n[ 2073.019394]  kasan_slab_free+0x10/0x18\n[ 2073.019397]  kfree+0x94/0x368\n[ 2073.019400]  bfqg_put+0x64/0xb0\n[ 2073.019404]  bfqg_and_blkg_put+0x90/0xb0\n[ 2073.019408]  bfq_put_queue+0x220/0x228\n[ 2073.019413]  __bfq_put_async_bfqq+0x98/0x168\n[ 2073.019416]  bfq_put_async_queues+0xbc/0x208\n[ 2073.019420]  bfq_pd_offline+0x178/0x238\n[ 2073.019424]  blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019429]  bfq_exit_queue+0x128/0x178\n[ 2073.019433]  blk_mq_exit_sched+0x12c/0x160\n[ 2073.019437]  elevator_exit+0xc8/0xd0\n[ 2073.019440]  blk_exit_queue+0x50/0x88\n[ 2073.019443]  blk_cleanup_queue+0x228/0x3d8\n[ 2073.019451]  null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019459]  null_exit+0x90/0x114 [null_blk]\n[ 2073.019462]  __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019467]  el0_svc_common+0xc8/0x320\n[ 2073.019471]  el0_svc_handler+0xf8/0x160\n[ 2073.019474]  el0_svc+0x10/0x218\n[ 2073.019475]\n[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00\n which belongs to the cache kmalloc-1024 of size 1024\n[ 2073.019484] The buggy address is located 552 bytes inside of\n 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)\n[ 2073.019486] The buggy address belongs to the page:\n[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0\n[ 2073.020123] flags: 0x7ffff0000008100(slab|head)\n[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00\n[ 2073.020409] ra\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: block, bfq: don't move oom_bfqq Nuestro informe de prueba es un UAF: [ 2073.019181] ======================================================================= [ 2073.019188] ERROR: KASAN: use-after-free en __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Escritura de tamaño 8 en la dirección ffff8000ccf64128 por la tarea rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: cargado No contaminado 4.19.90-yk #5 [ 2073.019198] Nombre del hardware: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Rastreo de llamadas: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Asignado por la tarea 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Liberado por la tarea 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479]  La dirección con errores pertenece al objeto en ffff8000ccf63f00 que pertenece al caché kmalloc-1024 de tamaño 1024 [ 2073.019484] La dirección con errores se encuentra 552 bytes dentro de la región de 1024 bytes [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] La dirección con errores pertenece a la página: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 Compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] ra ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.189","matchCriteriaId":"4AAE7A78-57E5-45A6-860D-7867DA88A45E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.110","matchCriteriaId":"91D3BFD0-D3F3-4018-957C-96CCBF357D79"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.33","matchCriteriaId":"27C42AE8-B387-43E2-938A-E1C8B40BE6D5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.19","matchCriteriaId":"20C43679-0439-405A-B97F-685BEE50613B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.17.2","matchCriteriaId":"210C679C-CF84-44A3-8939-E629C87E54BF"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8410f70977734f21b8ed45c37e925d311dfda2e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/87fdfe8589d43e471dffb4c60f75eeb6f37afc4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8f34dea99cd7761156a146a5258a67d045d862f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c01fced8d38fbccc82787065229578006f28e020","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c4f5a678add58a8a0e7ee5e038496b376ea6d205","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}