CVE-2022-49190

Description

In the Linux kernel, the following vulnerability has been resolved: kernel/resource: fix kfree() of bootmem memory again Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory"), we could get a resource allocated during boot via alloc_resource(). And it's required to release the resource using free_resource(). Howerver, many people use kfree directly which will result in kernel BUG. In order to fix this without fixing every call site, just leak a couple of bytes in such corner case.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.05%• Percentile: 17%

Techniques & Countermeasures

• CWE-401•Missing Release of Memory after Effective Lifetime

  The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Affected Systems

• linux•linux

  ≥ ebff7d8f270d045338d9f4796014f4db429a17f9, < 3379a60f6bb4afcd9c456e340ac525ae649d3ce7 | ≥ ebff7d8f270d045338d9f4796014f4db429a17f9, < a9e88c2618d228d7a4e7e515cf30dc0d0d813f27 | ≥ ebff7d8f270d045338d9f4796014f4db429a17f9, < d7faa04a44a0c37ac3d222fa8e0bdcbfcee9c0c8 | ≥ ebff7d8f270d045338d9f4796014f4db429a17f9, < ab86020070999e758ce2e60c4348f20bf7ddba56 | ≥ ebff7d8f270d045338d9f4796014f4db429a17f9, < 0cbcc92917c5de80f15c24d033566539ad696892 | 3.10

• linux•linux_kernel

  ≥ 3.10, < 5.15.33 | ≥ 5.16, < 5.16.19 | ≥ 5.17, < 5.17.2

References (6)

• https://git.kernel.org/stable/c/3379a60f6bb4afcd9c456e340ac525ae649d3ce7
• https://git.kernel.org/stable/c/a9e88c2618d228d7a4e7e515cf30dc0d0d813f27
• https://git.kernel.org/stable/c/d7faa04a44a0c37ac3d222fa8e0bdcbfcee9c0c8
• https://git.kernel.org/stable/c/ab86020070999e758ce2e60c4348f20bf7ddba56
• https://git.kernel.org/stable/c/0cbcc92917c5de80f15c24d033566539ad696892
• https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html