CVE-2022-49855 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg

ipc_pcie_read_bios_cfg() is using the acpi_evaluate_dsm() to obtain the wwan power state configuration from BIOS but is not freeing the acpi_object. The acpi_evaluate_dsm() returned acpi_object to be freed.

Free the acpi_object after use.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/01/2025

The vulnerability CVE-2022-49855 represents a memory leak within the Linux kernel's WWAN subsystem, specifically affecting the iosm driver implementation. This issue occurs in the ipc_pcie_read_bios_cfg function which interfaces with the ACPI subsystem to retrieve WWAN power state configuration parameters from the BIOS. The flaw demonstrates a classic memory management oversight where dynamically allocated resources are not properly released, creating potential system instability and resource exhaustion over time. The vulnerability resides in the net/wwan/iosm/ directory of the kernel source tree and impacts devices utilizing PCIe-based WWAN interfaces that rely on BIOS configuration for power state management.

The technical root cause of this vulnerability stems from improper memory deallocation following the invocation of the acpi_evaluate_dsm() function. This ACPI interface function returns an acpi_object structure containing the configuration data retrieved from the BIOS, but the calling function fails to invoke the appropriate cleanup mechanism to free this memory allocation. According to the Common Weakness Enumeration framework, this corresponds to CWE-401: Improper Release of Memory, which categorizes memory leaks as a fundamental resource management flaw. The missing free operation creates a dangling reference to allocated kernel memory that remains unreclaimed even after the function completes execution, leading to gradual memory consumption that can eventually impact system performance and stability.

From an operational security perspective, this memory leak poses significant risks to embedded systems and mobile devices that depend on continuous WWAN connectivity and power state management. The vulnerability can manifest as progressive memory degradation, potentially leading to system slowdowns, application crashes, or complete system hangs under sustained usage conditions. Attackers could potentially exploit this flaw by repeatedly triggering the affected code path to accelerate memory exhaustion, though the direct attack surface is limited to systems utilizing the specific iosm WWAN driver. The impact is particularly concerning in resource-constrained environments such as IoT devices, mobile routers, or automotive systems where memory resources are already limited and efficient resource management is critical.

Mitigation strategies for CVE-2022-49855 involve applying the kernel patch that implements proper memory cleanup by adding the required acpi_object_free() call after the acpi_evaluate_dsm() function invocation. System administrators should prioritize updating to kernel versions containing this fix, particularly in production environments where WWAN connectivity is critical. The vulnerability aligns with ATT&CK technique T1070.004: File Deletion, as it represents a failure in proper resource cleanup that can lead to system instability and performance degradation. Organizations should also implement monitoring for memory usage patterns on affected systems to detect potential exploitation attempts, and consider implementing automated patch management processes to ensure timely deployment of security fixes across all kernel components. The fix demonstrates proper kernel memory management practices and adheres to the principle of least privilege by ensuring all allocated resources are properly accounted for and released.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!