CVE-2022-49003

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description The issue is related to the Linux kernel's NVMe component, specifically with the nvme mpath revalidate paths() function in drivers/nvme/host/multipath.c and the nvme ns remove() function in drivers/nvme/host/core.c. The problem arises from incorrect locking, which can lead to a use-after-free condition when concurrent scan work is performed. This can cause a kernel NULL pointer dereference, resulting in a system crash. The vulnerability can be exploited to cause a denial of service.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the nvme mpath revalidate paths() and nvme ns remove() functions. As a temporary workaround, consider disabling the nvme mpath revalidate paths() function until a patch is available. Restrict access to the NVMe component to minimize the risk of exploitation. Avoid using the NVMe component with native multipath on affected kernel versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.