CVE-2022-50659 in Linux
Summary
by MITRE • 12/09/2025
In the Linux kernel, the following vulnerability has been resolved:
hwrng: geode - Fix PCI device refcount leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. We add a new struct 'amd_geode_priv' to record pointer of the pci_dev and membase, and then add missing pci_dev_put() for the normal and error path.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2022-50659 represents a critical reference counting issue within the Linux kernel's hardware random number generator implementation for Geode processors. This flaw exists in the hwrng subsystem specifically targeting the geode hardware random number generator driver, where improper handling of PCI device reference counts creates a persistent memory leak that can lead to system instability and resource exhaustion. The vulnerability stems from the incorrect management of PCI device objects within the kernel's device enumeration loop, directly impacting the kernel's memory management and device resource handling capabilities.
The technical implementation flaw occurs when the for_each_pci_dev() macro iterates through PCI devices, where the underlying pci_get_device() function automatically increments the reference count of returned pci_dev structures. However, when the iteration loop is terminated prematurely with a non-null pdev pointer, the system fails to properly decrement the reference count through the required pci_dev_put() function call. This creates a situation where PCI device objects remain in memory indefinitely, consuming kernel resources and potentially leading to system crashes or denial of service conditions. The issue specifically affects the Geode processor's hardware random number generator implementation, which relies on proper PCI device management for secure random number generation.
The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system security and stability. When the reference count leak occurs, it can cause progressive resource exhaustion that may eventually lead to kernel memory allocation failures, system hangs, or complete system crashes. The vulnerability particularly affects systems running Linux kernels with Geode processors where hardware random number generation is actively utilized, potentially weakening cryptographic security measures that depend on quality random number generation. This represents a direct violation of the kernel's resource management principles and can be exploited by malicious actors to perform denial of service attacks or potentially gain unauthorized access to system resources.
The fix implemented addresses this issue by introducing a new private structure called amd_geode_priv that properly tracks PCI device pointers and memory base addresses, ensuring that all PCI device references are properly managed throughout the driver's lifecycle. This solution directly addresses the missing pci_dev_put() calls that were required on both normal execution paths and error handling scenarios. The mitigation strategy aligns with CWE-404, which specifically addresses improper resource management, and follows the ATT&CK framework's resource exhaustion techniques by ensuring proper reference counting and memory management. The fix demonstrates proper kernel development practices by implementing comprehensive error handling and resource cleanup procedures that prevent the accumulation of unreleased PCI device references, thereby maintaining system stability and security. This vulnerability resolution exemplifies the critical importance of proper reference counting in kernel space programming and the potential consequences of inadequate resource management in security-critical system components.