CVE-2022-49492

nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags In nvme_alloc_admin_tags, the admin_q can be set to an error (typically -ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which is checked immediately after the call. However, when we return the error message up the stack, to nvme_reset_work the error takes us to nvme_remove_dead_ctrl() nvme_dev_disable() nvme_suspend_queue(&dev->queues[0]). Here, we only check that the admin_q is non-NULL, rather than not an error or NULL, and begin quiescing a queue that never existed, leading to bad / NULL pointer dereference.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/8321b17789f614414206af07e17ce4751c95dc76 patch
https://git.kernel.org/stable/c/9e649471b396fa0139d53919354ce1eace9b9a24 patch
https://git.kernel.org/stable/c/8da2b7bdb47e94bbc4062a3978c708926bcb022c patch
https://git.kernel.org/stable/c/f76729662650cd7bc8f8194e057af381370349a7 patch
https://git.kernel.org/stable/c/af98940dd33c9f9e1beb4f71c0a39260100e2a65 patch
https://git.kernel.org/stable/c/906c81dba8ee8057523859b5e1a2479e9fd34860 patch
https://git.kernel.org/stable/c/7a28556082d1fbcbc599baf1c24252dfc73efefc patch
https://git.kernel.org/stable/c/54a4c1e47d1b2585e74920399455bd9abbfb2bd7 patch
https://git.kernel.org/stable/c/da42761181627e9bdc37d18368b827948a583929 patch

Frequently Asked Questions

What is the severity of CVE-2022-49492?
CVE-2022-49492 has been scored as a medium severity vulnerability.
How to fix CVE-2022-49492?
To fix CVE-2022-49492, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-49492 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-49492 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-49492?
CVE-2022-49492 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.