#VU104709 Improper locking in Linux kernel - CVE-2022-49155

Vulnerability identifier: #VU104709

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49155

CWE-ID: CWE-667

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the qla2xxx_create_qpair() function in drivers/scsi/qla2xxx/qla_init.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/1ab81d82fb1db7ec4be4b0d04563513e6d4bcdd5
https://git.kernel.org/stable/c/43195a0c620761fbb88db04e2475313855b948a4
https://git.kernel.org/stable/c/8077a7162bc3cf658dd9ff112bc77716c08458c5
https://git.kernel.org/stable/c/9c33d49ab9f3d8bd7512b3070cd2f07c4a8849d5
https://git.kernel.org/stable/c/a60447e7d451df42c7bde43af53b34f10f34f469
https://git.kernel.org/stable/c/a669a22aef0ceff706b885370af74b5a60a8ac85
https://git.kernel.org/stable/c/f68776f28d9134fa65056e7e63bfc734049730b7
https://git.kernel.org/stable/c/f97316dd393bc8df1cc2af6295a97b876eecf252

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.