CVE-2022-50106 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address
of_get_next_parent() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() in the error path to avoid refcount leak.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability identified as CVE-2022-50106 represents a memory management issue within the Linux kernel's powerpc/cell/axon_msi subsystem. This flaw specifically affects systems utilizing the Cell processor architecture, particularly those implementing the AXON MSI (Message Signaled Interrupts) functionality. The vulnerability manifests as a reference count leak that occurs during the setup of MSI message addresses, creating a subtle but significant memory management problem that can lead to resource exhaustion over time. The issue is classified under CWE-404, which deals with improper resource management, specifically focusing on reference counting errors in kernel space operations.
The technical root cause of this vulnerability lies in the improper handling of device tree node references within the of_get_next_parent() function call. When this function is invoked, it returns a pointer to a device tree node with its reference count incremented to indicate that the node is now in use. The kernel's memory management subsystem relies heavily on reference counting to track resource usage and ensure proper cleanup when resources are no longer needed. However, in the error path of the setup_msi_msg_address function, the developers failed to call of_node_put() to decrement the reference count when the node was no longer required, creating a scenario where the reference count remained artificially high. This oversight results in the device tree node never being properly released back to the system, leading to a gradual accumulation of unreleased references that can eventually exhaust available memory resources.
The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can significantly affect system stability and performance on powerpc/cell systems. While the leak may appear minor in individual instances, repeated occurrences can lead to progressive memory fragmentation and resource exhaustion, potentially causing system slowdowns or even complete system crashes. The vulnerability is particularly concerning in server environments or embedded systems where long-running processes and continuous operation are expected, as the reference count leak compounds over time, eventually leading to degraded performance or system unresponsiveness. The nature of kernel-level memory leaks means that this issue affects the fundamental stability of the operating system rather than just specific applications or services.
Mitigation strategies for CVE-2022-50106 focus primarily on applying the official kernel patch that adds the missing of_node_put() call in the error handling path of the setup_msi_msg_address function. This patch ensures that all device tree node references are properly released regardless of execution flow, maintaining the integrity of the kernel's memory management subsystem. System administrators should prioritize applying this update to all affected powerpc/cell systems, particularly those in production environments where resource exhaustion could have severe consequences. Additionally, monitoring systems should be implemented to track memory usage patterns and reference count behavior to detect potential issues before they escalate. The fix aligns with ATT&CK technique T1490, which involves resource exhaustion attacks, by addressing a specific mechanism that could be exploited to cause system instability through memory management flaws, though the vulnerability itself requires kernel-level access to exploit and does not present a direct attack surface for external threat actors.