CVE-2022-49411: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49411 is a vulnerability in the Linux kernel's BFQ I/O scheduler that was discovered and disclosed in February 2025. The vulnerability affects the handling of bios queued into the BFQ I/O scheduler when associated with offline cgroups, potentially leading to use-after-free issues (NVD).

The vulnerability occurs when bios queued into the BFQ I/O scheduler are associated with a cgroup that was already offlined. This can cause insertion of a bfq_group into a service tree, which gets freed as soon as the last bio associated with it is completed, resulting in use-after-free issues for service tree users. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to use-after-free issues in the Linux kernel's I/O scheduler, potentially allowing an attacker to execute arbitrary code, cause system crashes, or escalate privileges. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed by ensuring that the system always operates on online bfqgroups. If the bfqgroup associated with the bio is not online, the system will pick the first online parent. The fix has been implemented in the Linux kernel codebase (Kernel Git).