CVE-2022-49794 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger()
If iio_trigger_register() returns error, it should call iio_trigger_free() to give up the reference that hold in iio_trigger_alloc(), so that it can call iio_trig_release() to free memory when the refcount hit to 0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/03/2025
The vulnerability identified as CVE-2022-49794 represents a memory leak condition within the Linux kernel's industrial I/O (IIO) subsystem, specifically affecting the at91_adc driver implementation. This flaw occurs in the at91_adc_allocate_trigger() function where proper resource cleanup mechanisms are not adequately implemented when error conditions arise during trigger registration. The at91_adc driver is designed to support Analog-to-Digital Converter functionality on Atmel AT91 microcontrollers, which are commonly used in embedded systems and industrial applications requiring precise analog signal processing.
The technical flaw manifests when the iio_trigger_register() function fails and returns an error code to the at91_adc_allocate_trigger() function. In this error scenario, the driver fails to invoke the iio_trigger_free() function to properly release the reference that was initially acquired through iio_trigger_alloc(). This omission creates a situation where the trigger reference count remains incremented, preventing the proper cleanup of allocated memory resources. The underlying issue stems from inadequate error handling and resource management within the driver's trigger allocation and registration sequence, which violates fundamental memory management principles and can lead to progressive memory consumption over time.
The operational impact of this vulnerability extends beyond simple memory wastage to potentially compromise system stability and performance in embedded environments where memory resources are constrained. When multiple trigger allocation attempts fail, the accumulated unreleased references can lead to significant memory fragmentation and eventual system resource exhaustion. This is particularly concerning in industrial control systems and embedded devices where long-running processes and continuous operation are expected. The vulnerability affects systems using Atmel AT91 series microcontrollers with IIO ADC functionality, making it relevant to a wide range of embedded applications including industrial automation, IoT devices, and embedded computing platforms that rely on precise analog signal acquisition and processing.
Mitigation strategies for this vulnerability require kernel-level patches that ensure proper error handling in the at91_adc_allocate_trigger() function. The fix implements conditional logic to call iio_trigger_free() whenever iio_trigger_register() returns an error, thereby maintaining proper reference counting and enabling correct memory deallocation through the iio_trig_release() mechanism. System administrators should prioritize applying the relevant kernel updates and patches that address this specific memory leak condition. Additionally, monitoring for unusual memory consumption patterns in systems running affected kernel versions can serve as an early detection mechanism. The vulnerability aligns with CWE-401: Improper Release of Memory and relates to ATT&CK technique T1490: Inhibit System Recovery, as memory leaks can contribute to system instability and reduced availability. Organizations should also consider implementing robust kernel update policies and regular security assessments to prevent exploitation of similar memory management vulnerabilities in their embedded systems infrastructure.