CVE intelligence and bounded remediation
CVE-2022-49540 — Linux Linux Kernel security vulnerability
In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix race in schedule and flush work While booting secondary CPUs, cpus_read_[lock/unlock] is not keeping online cpumask stable. The transient online mask results in below calltrace. [ 0.324121] CPU1: Booted secondary processor 0x0000000001 [0x410fd083] [ 0.346652] Detected PIPT I-cache on CPU2 [ 0.347212] CPU2: Booted secondary processor 0x0000000002 [0x410fd083] [ 0.377255] Detected PIPT I-cache on CPU3 [ 0.377823] CPU3: Booted secondary processor 0x0000000003 [0x410fd083] [ 0.379040] ------------[ cut here ]------------ [ 0.383662] WARNING: CPU: 0 PID: 10 at kernel/workqueue.c:3084 __flush_work+0x12c/0x138 [ 0.384850] Modules linked in: [ 0.385403] CPU: 0 PID: 10 Comm: rcu_tasks_rude_ Not tainted 5.17.0-rc3-v8+ #13 [ 0.386473] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 0.387289] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.388308] pc : __flush_work+0x12c/0x138 [ 0.388970] lr : __flush_work+0x80/0x138 [ 0.389620] sp : ffffffc00aaf3c60 [ 0.390139] x29: ffffffc00aaf3d20 x28: ffffffc009c16af0 x27: ffffff80f761df48 [ 0.391316] x26: 0000000000000004 x25: 0000000000000003 x24…
- Severity
- Medium
- CVSS
- 4.7 (3.1)
- Published
- 2025-02-26
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
- Weaknesses
- CWE-362
Affected products
- linux / linux_kernel
Matched remediation archetype
Race condition, TOCTOU, and lifecycle synchronization
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Map concurrent actors, shared state, lock boundaries, signals, callbacks, retries, and check-then-use sequences in the affected path.
- Determine whether untrusted users can influence timing, object names, filesystem state, or repeated state transitions.
- Identify clustered and multi-process behavior that repository-local tests may not represent.
Remediate safely
- Make the sensitive state transition atomic or protect it with a consistently ordered synchronization primitive.
- Perform authorization and invariant checks on the same authoritative object and transaction used for the operation.
- Use unique private resources, safe ownership transfer, and idempotent operations; add deterministic concurrency regression tests.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.