CVE-2022-50520 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL.
If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability CVE-2022-50520 represents a memory management issue within the Linux kernel's graphics driver subsystem, specifically affecting the radeon graphics driver implementation. This flaw resides in the drm/radeon component responsible for handling PCI device interactions and BIOS retrieval operations. The vulnerability manifests as a reference count leak in the radeon_atrm_get_bios() function, which directly impacts the kernel's resource management capabilities and can lead to system instability over time.
The technical root cause stems from improper handling of PCI device reference counts within the radeon_atrm_get_bios() function. When the pci_get_class() function is invoked, it returns a pci_device structure with its reference count incremented as part of its standard behavior. However, the existing code logic fails to properly decrement this reference count when exiting the loop with a non-NULL pdev parameter. This creates a situation where the reference count remains artificially elevated, preventing proper resource cleanup and leading to memory leaks that accumulate over time.
The operational impact of this vulnerability extends beyond simple memory consumption issues. While the immediate effect appears to be a reference count leak rather than a direct security exploit, such memory management flaws can contribute to system instability, performance degradation, and potentially create conditions that might be exploited by malicious actors. The vulnerability affects systems running Linux kernels with radeon graphics drivers, particularly those utilizing ATI/AMD Radeon graphics hardware where the Advanced Thermal Resource Management (ATRM) functionality is active. The issue is classified under CWE-404 as an improper resource release or unbalanced resource management, specifically involving reference counting mechanisms.
From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1059.003 for command and script injection, though not directly as an exploit vector. The memory leak could potentially be leveraged in resource exhaustion attacks where sustained memory consumption degrades system performance or availability. The vulnerability demonstrates poor adherence to kernel programming best practices regarding resource management and reference counting protocols. The fix requires adding a missing pci_dev_put() call to properly balance the reference count increment that occurred during the pci_get_class() operation, ensuring proper cleanup when exiting the function loop.
This issue underscores the critical importance of proper resource management in kernel space programming, where even seemingly minor reference counting errors can have significant system-wide implications. The fix implementation directly addresses the immediate problem by ensuring that when the loop exits with a valid pci device pointer, the corresponding reference count is properly decremented. This type of vulnerability is particularly concerning in embedded systems, servers, and other environments where long-running kernel processes are common, as the memory leak can accumulate and eventually lead to system crashes or degraded performance. The vulnerability serves as a reminder of the complex resource management requirements in kernel-level code and the need for rigorous code review processes to identify such subtle but impactful issues.