CVE-2022-49376

scsi: sd: Fix potential NULL pointer dereference

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix potential NULL pointer dereference If sd_probe() sees an early error before sdkp->device is initialized, sd_zbc_release_disk() is called. This causes a NULL pointer dereference when sd_is_zoned() is called inside that function. Avoid this by removing the call to sd_zbc_release_disk() in sd_probe() error path. This change is safe and does not result in zone information memory leakage because the zone information for a zoned disk is allocated only when sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set, resulting in sd_disk_release() being called when needed to cleanup a disk zone information using sd_zbc_release_disk().

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/c1f0187025905e9981000d44a92e159468b561a8 patch
https://git.kernel.org/stable/c/0fcb0b131cc90c8f523a293d84c58d0c7273c96f patch
https://git.kernel.org/stable/c/78f8e96df06e2d04d82d4071c299b59d28744f47 patch
https://git.kernel.org/stable/c/3733439593ad12f7b54ae35c273ea6f15d692de3 patch
https://git.kernel.org/stable/c/05fbde3a77a4f1d62e4c4428f384288c1f1a0be5 patch

Frequently Asked Questions

What is the severity of CVE-2022-49376?
CVE-2022-49376 has been scored as a medium severity vulnerability.
How to fix CVE-2022-49376?
To fix CVE-2022-49376, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-49376 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-49376 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-49376?
CVE-2022-49376 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.