CVE-2022-49609 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2025
This vulnerability exists within the linux kernel's power reset subsystem specifically affecting the arm-versatile platform implementation. The issue manifests as a reference count leak in the versatile_reboot_probe function which is responsible for handling reboot operations on arm-versatile hardware platforms. The flaw represents a classic resource management error where kernel memory management practices are not properly followed, leading to potential system instability over extended operation periods.
The technical root cause stems from improper handling of device tree node references within the kernel's device tree subsystem. The function of_find_matching_node_and_match() is designed to locate and return a reference to a matching device tree node while automatically incrementing the reference count to prevent premature deallocation. However, the versatile_reboot_probe function fails to properly decrement this reference count when the node pointer is no longer needed. This oversight creates a memory leak scenario where the reference count remains incremented indefinitely, preventing the kernel from properly releasing the associated device tree node resources.
The operational impact of this vulnerability extends beyond simple memory consumption issues. While the immediate effect appears as a reference count leak, the long-term implications can manifest as system resource exhaustion, particularly on embedded systems or devices with limited memory capacity. The leak accumulates over time through repeated reboot operations or system initialization cycles, potentially leading to system instability, performance degradation, or in severe cases, system crashes. This vulnerability affects all systems running the affected linux kernel version that utilize arm-versatile platform hardware configurations.
The vulnerability maps to CWE-404, which specifically addresses improper resource management and memory leaks in software systems. From an attack perspective, while this represents a resource exhaustion issue rather than a direct exploit vector, it aligns with ATT&CK technique T1499.001 which covers resource exhaustion attacks. The vulnerability demonstrates poor kernel programming practices that could potentially be leveraged in combination with other exploits to amplify system instability or create conditions favorable for more serious attacks.
Mitigation strategies should focus on applying the official kernel patch that adds the missing of_node_put() call to properly decrement the reference count. System administrators should prioritize updating to kernel versions that include this fix, particularly on embedded systems or devices where memory constraints are more pronounced. Regular system monitoring for memory usage patterns can help detect potential resource leak impacts, though the primary solution remains the application of the kernel patch. Organizations should also implement comprehensive testing procedures to validate that reboot operations and device tree initialization functions work correctly after applying the patch, ensuring no regressions in system functionality occur.