CVE-2022-50561 in Linux
Summary
by MITRE • 10/22/2025
In the Linux kernel, the following vulnerability has been resolved:
iio: fix memory leak in iio_device_register_eventset()
When iio_device_register_sysfs_group() returns failed, iio_device_register_eventset() needs to free attrs array.
Otherwise, kmemleak would scan & report memory leak as below:
unreferenced object 0xffff88810a1cc3c0 (size 32): comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s) backtrace: __kmalloc+0x46/0x1b0 iio_device_register_eventset at drivers/iio/industrialio-event.c:541 __iio_device_register at drivers/iio/industrialio-core.c:1959 __devm_iio_device_register at drivers/iio/industrialio-core.c:2040
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2026
The vulnerability identified as CVE-2022-50561 represents a memory management flaw within the Linux kernel's Industrial I/O (IIO) subsystem, specifically affecting the iio_device_register_eventset() function. This issue occurs during the device registration process where the kernel fails to properly clean up allocated memory resources when certain error conditions are encountered. The IIO subsystem serves as a framework for handling sensors and other input/output devices in embedded systems, making this vulnerability particularly concerning for IoT devices and industrial control systems that rely heavily on proper memory management.
The technical root cause of this vulnerability stems from inadequate error handling within the industrialio-event.c file at line 541 where the iio_device_register_eventset() function does not properly free the attrs array when iio_device_register_sysfs_group() fails. This memory leak manifests as a kmemleak report that identifies unreferenced objects in kernel memory, specifically showing a 32-byte allocation that remains unreferenced for over 156 seconds. The flaw demonstrates poor resource management practices where allocated memory structures are not properly deallocated when function execution encounters failure paths, creating a persistent memory leak that can accumulate over time and potentially impact system stability.
The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can lead to progressive memory exhaustion in systems with frequent device registration operations or those running for extended periods without rebooting. Systems utilizing IIO devices such as temperature sensors, accelerometers, or other industrial monitoring equipment may experience degraded performance or unexpected system behavior as memory becomes increasingly fragmented. The vulnerability is particularly relevant in embedded systems and IoT deployments where memory resources are constrained and system reliability is paramount, as the cumulative effect of multiple memory leaks can eventually lead to system crashes or service disruptions that align with ATT&CK technique T1490 for resource exhaustion.
Mitigation strategies for CVE-2022-50561 involve ensuring that all kernel versions containing the fix are deployed across affected systems, with particular attention to embedded devices and industrial control systems that utilize IIO subsystem functionality. System administrators should prioritize patching operations, especially in environments where IIO devices are frequently registered and unregistered, as the memory leak can compound over time. The fix implements proper error handling by ensuring that when iio_device_register_sysfs_group() returns an error, the previously allocated attrs array is properly freed before the function returns, preventing the memory leak from occurring. This remediation aligns with CWE-401 which addresses improper handling of memory allocation failures, and follows the principle of defensive programming where all allocated resources must be properly freed regardless of execution path. Organizations should also implement monitoring for memory leaks in their embedded systems and consider regular system reboots as a temporary workaround while awaiting patch deployment, particularly in mission-critical environments where system stability is essential for operational continuity.