CVE-2022-48693 in Linux
Summary
by MITRE • 05/03/2024
In the Linux kernel, the following vulnerability has been resolved:
soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs
In brcmstb_pm_probe(), there are two kinds of leak bugs:
(1) we need to add of_node_put() when for_each__matching_node() breaks (2) we need to add iounmap() for each iomap in fail path
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability CVE-2022-48693 represents a critical resource management issue within the Linux kernel's Broadcom STB (System-on-Chip) power management subsystem. This flaw exists in the soc/brcmstb/pm-arm driver component that handles power management operations for Broadcom STB platforms. The vulnerability stems from improper handling of reference counting and memory mapping operations during device probe initialization, creating persistent resource leaks that can accumulate over time and potentially lead to system instability or denial of service conditions. The issue specifically affects systems utilizing Broadcom STB SoC architectures where power management functionality is critical for device operation and system efficiency.
The technical implementation of this vulnerability manifests through two distinct but related memory management flaws within the brcmstb_pm_probe() function. The first flaw involves inadequate reference counting for device tree node references, where the for_each_matching_node() iteration loop does not properly release acquired node references when exiting early due to break conditions. This creates a reference count leak that prevents the kernel's device tree subsystem from properly deallocating memory resources. The second flaw occurs during error handling paths where the driver fails to properly unmap memory regions that were successfully mapped using ioremap() operations, resulting in __iomem memory leaks that persist even when the driver initialization fails. These issues collectively represent a failure to maintain proper resource lifecycle management in kernel space.
The operational impact of CVE-2022-48693 extends beyond simple memory consumption, as these resource leaks can progressively degrade system performance and stability. The reference count leak affects the device tree subsystem's ability to manage node references efficiently, potentially causing memory exhaustion in systems with extensive device tree configurations. The iomem leak directly impacts memory allocation pools, particularly in embedded systems with constrained resources where memory fragmentation can lead to allocation failures and system crashes. In production environments, these leaks can accumulate over time, especially in systems with frequent device initialization cycles, potentially leading to system instability or complete system hangs. The vulnerability is particularly concerning in embedded and IoT devices where memory resources are limited and system uptime is critical for operational reliability.
Mitigation strategies for CVE-2022-48693 require immediate kernel updates to the patched versions that address both reference counting and memory mapping issues. System administrators should prioritize applying the relevant kernel security patches as soon as possible, particularly in production environments where the vulnerability could be exploited to cause service disruption. The fix involves implementing proper resource cleanup in both normal and error paths of the driver initialization code, specifically adding of_node_put() calls when breaking out of device tree node iterations and ensuring iounmap() is called for each successfully mapped memory region during error handling. Organizations should also implement monitoring for memory usage patterns and system stability metrics to detect potential exploitation attempts or resource exhaustion conditions. This vulnerability aligns with CWE-404, which addresses improper resource release or unbalanced resource management, and can be mapped to ATT&CK technique T1499.004 related to network denial of service through resource exhaustion attacks.