CVE-2022-50663 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix possible memory leak in stmmac_dvr_probe()

The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, otherwise there will be a memory leak, so we add the err path error_wq_init to fix it.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability identified as CVE-2022-50663 affects the Linux kernel's stmmac network driver implementation, specifically within the stmmac_dvr_probe() function. This issue represents a memory management flaw that occurs during the driver initialization process, where proper resource cleanup is not performed when certain initialization steps fail. The stmmac driver is responsible for managing ethernet controllers in various embedded systems and hardware platforms, making this vulnerability particularly significant for device drivers that require robust memory management under all operational conditions. The problem manifests when the create_singlethread_workqueue() function fails during driver probe, leaving allocated memory resources in an inconsistent state.

The technical flaw stems from improper error handling within the driver's initialization sequence where the bitmap_free() function is not invoked to release memory allocated for priv->af_xdp_zc_qps when the workqueue creation fails. This represents a classic memory leak scenario where allocated kernel memory remains unreleased despite the failure of subsequent initialization steps. The vulnerability is categorized under CWE-401 as a failure to release memory allocated for a resource, specifically manifesting as a resource leak in kernel space. The affected code path demonstrates inadequate defensive programming practices where error recovery paths do not properly clean up previously allocated resources, leading to progressive memory consumption that could eventually impact system stability and performance.

The operational impact of this vulnerability extends beyond simple memory consumption as it can lead to system instability and potential denial of service conditions in embedded environments where memory resources are constrained. When the stmmac driver fails to initialize properly due to workqueue creation issues, the memory leak compounds over time as the driver attempts to reinitialize or when multiple failure scenarios occur. This vulnerability particularly affects systems using the stmmac driver for ethernet communication, including automotive systems, industrial control devices, and embedded networking hardware. The memory leak can be exacerbated in high-availability systems where driver initialization and reinitialization occur frequently, potentially leading to progressive memory exhaustion and system degradation.

Mitigation strategies for CVE-2022-50663 focus on applying the kernel patch that introduces the err path error_wq_init to ensure proper cleanup of allocated resources when create_singlethread_workqueue() fails. The fix implements proper error handling by ensuring that bitmap_free() is called to release priv->af_xdp_zc_qps memory before returning from the stmmac_dvr_probe() function. Organizations should prioritize updating their kernel versions to include this patch, particularly in embedded systems and industrial environments where the stmmac driver is deployed. The vulnerability aligns with ATT&CK technique T1490 which involves resource exhaustion through memory leaks, and represents a critical component of kernel security hygiene. System administrators should monitor for kernel updates and ensure that all embedded systems using stmmac drivers receive the patched kernel version to prevent potential exploitation of this memory management flaw that could lead to system instability or denial of service conditions.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00208

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!