CVE-2022-49982 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
media: pvrusb2: fix memory leak in pvr_probe
The error handling code in pvr2_hdw_create forgets to unregister the v4l2 device. When pvr2_hdw_create returns back to pvr2_context_create, it calls pvr2_context_destroy to destroy context, but mp->hdw is NULL, which leads to that pvr2_hdw_destroy directly returns.
Fix this by adding v4l2_device_unregister to decrease the refcount of usb interface.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability described in CVE-2022-49982 represents a memory leak issue within the Linux kernel's media subsystem, specifically affecting the pvrusb2 driver implementation. This flaw exists in the handling of device initialization and cleanup processes for USB video capture devices, particularly those manufactured by PVRUSB2. The vulnerability stems from inadequate error handling in the device creation sequence where proper resource cleanup is not performed when initialization fails.
The technical flaw manifests in the pvr2_hdw_create function which fails to properly unregister the v4l2 device during error conditions. When the device creation process encounters an issue, the error handling code neglects to call v4l2_device_unregister, which is essential for decrementing the reference count of the USB interface. This omission results in a memory leak where allocated resources remain unreleased even though the device initialization has failed. The problem becomes particularly evident when pvr2_hdw_create returns control to pvr2_context_create, which then attempts to destroy the context but finds that mp->hdw is NULL, causing pvr2_hdw_destroy to return prematurely without proper cleanup.
The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially affect system stability and resource management in embedded systems and devices utilizing PVRUSB2 hardware. The memory leak accumulates over time as failed device initialization attempts occur, gradually depleting available system resources and potentially leading to system performance degradation or unexpected device behavior. This type of resource leak is particularly concerning in embedded environments where memory is constrained and system reliability is paramount. The vulnerability affects systems running Linux kernel versions that include the affected pvrusb2 driver code, making it relevant to a broad range of media processing and video capture applications.
The fix implemented addresses the root cause by explicitly adding v4l2_device_unregister calls in the error handling path of the pvr2_hdw_create function. This ensures that when device creation fails, the reference count of the USB interface is properly decremented, allowing for appropriate cleanup of allocated resources. This remediation aligns with the principle of proper resource management and follows the established patterns for error handling in kernel drivers. The solution directly addresses the memory leak by ensuring that all allocated resources are properly released regardless of whether device initialization succeeds or fails, thereby preventing the accumulation of unreleased memory structures. The fix represents a standard defensive programming approach that is consistent with kernel development best practices and helps maintain system stability under error conditions.
This vulnerability demonstrates characteristics consistent with CWE-401, which describes improper handling of memory allocation failures in software systems. The issue also relates to ATT&CK technique T1499.001, which involves resource exhaustion through memory leaks, potentially leading to system instability or denial of service conditions. The fix ensures proper resource lifecycle management and prevents the accumulation of leaked memory that could impact system performance over extended periods of operation.