CVE-2022-49922 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send() will only free skb when i2c_master_send() return >=0, which means skb will memleak when i2c_master_send() failed. Free skb no matter whether i2c_master_send() succeeds.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2022-49922 resides within the Linux kernel's NFC subsystem, specifically affecting the nfcmrvl driver implementation. This issue manifests in the nfcmrvl_i2c_nci_send() function which serves as a critical component in handling NFC communication over I2C interfaces. The flaw represents a classic memory management error that can lead to resource exhaustion and system instability. The vulnerability impacts devices utilizing NFC hardware that employs the Marvell NFC controller architecture, particularly those implementing I2C communication protocols for NFC data transmission.
The technical root cause of this vulnerability stems from improper memory deallocation logic within the NFC driver's I2C communication handler. When nfcmrvl_i2c_nci_send() processes NFC data packets, it relies on the i2c_master_send() function to transmit data over the I2C bus. The function correctly handles memory cleanup only when the I2C transmission succeeds, as indicated by a return value greater than or equal to zero. However, when i2c_master_send() fails during transmission, the function fails to free the socket buffer (skb) that contains the NFC data packet. This creates a memory leak scenario where each failed I2C transmission results in a leaked memory allocation that persists until the system reboots or the driver is unloaded. The flaw directly violates proper resource management principles and can accumulate over time, leading to significant memory consumption issues.
The operational impact of this vulnerability extends beyond simple memory leakage to potentially compromise system stability and performance. In embedded systems or devices with limited memory resources, repeated memory leaks can gradually consume available RAM, leading to system slowdowns, application crashes, or complete system hangs. The vulnerability is particularly concerning in mobile devices, IoT systems, or embedded NFC readers where continuous NFC operations may cause progressive memory degradation. Attackers could potentially exploit this weakness by triggering repeated I2C transmission failures, amplifying the memory leak effect to cause denial of service conditions. The vulnerability aligns with CWE-401, which specifically addresses improper release of memory, and represents a clear violation of the principle of resource management in kernel space programming.
Mitigation strategies for CVE-2022-49922 involve immediate patch application to affected Linux kernel versions, ensuring proper memory deallocation regardless of I2C transmission success or failure. System administrators should prioritize updating kernel versions to include the fix that implements unconditional skb freeing in the nfcmrvl_i2c_nci_send() function. Additionally, monitoring memory usage patterns on devices utilizing NFC functionality can help detect early signs of memory leakage. The fix demonstrates adherence to ATT&CK technique T1490, which involves resource exhaustion through memory leaks, and represents a fundamental defensive measure against such attack vectors. Organizations should implement comprehensive testing procedures to validate the patched kernel behavior under various I2C communication failure scenarios, ensuring that memory management operates correctly even when transmission errors occur. Regular security audits of kernel subsystems, particularly those handling hardware communication protocols, remain essential to prevent similar vulnerabilities from emerging in future releases.