CVE-2022-49860 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: ti: k3-udma-glue: fix memory leak when register device fail

If device_register() fails, it should call put_device() to give up reference, the name allocated in dev_set_name() can be freed in callback function kobject_cleanup().

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/14/2026

The vulnerability identified as CVE-2022-49860 resides within the Linux kernel's dmaengine subsystem, specifically affecting the ti k3-udma-glue driver implementation. This flaw represents a memory management issue that occurs during device registration processes, where proper resource cleanup mechanisms are not adequately executed when registration failures occur. The vulnerability manifests in the context of embedded systems utilizing Texas Instruments K3 SoC platforms where the uDMA glue driver manages data movement operations between various hardware components and the main processor.

The technical flaw stems from improper reference counting and resource management within the device registration flow. When the device_register() function fails to successfully register a device, the driver fails to invoke put_device() to properly release the reference count that was incremented during the registration process. This omission creates a memory leak scenario where allocated resources remain unreleased, including the memory allocated by dev_set_name() for device naming purposes. The kernel's object management system relies on proper reference counting to determine when resources can be safely freed, and this failure creates a dangling reference that prevents proper cleanup.

The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can lead to progressive resource exhaustion on systems with limited memory capacity. In embedded environments where the Linux kernel operates with constrained resources, such memory leaks can accumulate over time and potentially cause system instability or performance degradation. The vulnerability is particularly concerning in real-time systems or industrial applications where predictable resource usage is critical for maintaining system reliability. Attackers could potentially exploit this memory leak to cause denial of service conditions by repeatedly triggering device registration failures, leading to gradual system resource depletion.

Mitigation strategies for this vulnerability involve ensuring that all device registration failure paths properly invoke put_device() to maintain correct reference counting semantics. System administrators should update to kernel versions containing the patched implementation where proper cleanup routines are executed regardless of registration success or failure outcomes. The fix aligns with best practices for kernel memory management and follows established patterns for resource cleanup in the Linux kernel's device model. This vulnerability demonstrates the importance of proper error handling in kernel space operations and the critical nature of maintaining reference count integrity throughout device lifecycle management. The issue relates to CWE-404, which addresses improper resource release, and could potentially be leveraged in broader exploitation scenarios targeting system stability through resource exhaustion attacks.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!