CVE-2022-50868 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
hwrng: amd - Fix PCI device refcount leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the normal and error path.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability identified as CVE-2022-50868 represents a critical resource management flaw within the Linux kernel's hardware random number generator subsystem, specifically affecting the amd hwrng driver. This issue manifests as a reference count leak in PCI device handling operations, creating a potential denial of service condition that could compromise system stability and resource availability. The flaw exists in the kernel's handling of PCI device enumeration where proper reference counting mechanisms are not consistently applied throughout all execution paths.
The technical root cause of this vulnerability stems from improper management of PCI device reference counts within the for_each_pci_dev() iteration macro. The Linux kernel's PCI subsystem implements this macro through the pci_get_device() function which is documented to automatically increment the reference count of returned pci_dev structures while decrementing the reference count of the input pci_dev @from parameter when it is not NULL. This behavior creates a fundamental requirement for developers to properly balance reference counts when breaking out of loops or handling error conditions. The specific implementation error occurs when the for_each_pci_dev() loop terminates with a non-NULL pdev value, failing to execute the necessary pci_dev_put() call that would decrement the reference count.
This memory management oversight creates a persistent resource leak that accumulates over time as the system continues to process PCI device enumeration operations. The vulnerability specifically affects systems utilizing AMD hardware random number generators where the hwrng subsystem attempts to locate and configure PCI devices for hardware entropy collection. When the loop terminates prematurely or encounters error conditions, the reference count of the PCI device structure remains incremented, preventing proper cleanup and resource deallocation. This condition can lead to gradual system resource exhaustion, particularly in environments with frequent device enumeration or high system utilization.
The operational impact of CVE-2022-50868 extends beyond simple memory leaks to potentially compromise system stability and availability. Systems running affected kernel versions may experience progressive resource degradation where available PCI device structures become unavailable for legitimate use cases. The vulnerability affects both normal operational paths and error handling scenarios, meaning that any interaction with the amd hwrng driver could potentially trigger the reference count leak. This makes the issue particularly concerning for server environments and systems requiring sustained operation where resource exhaustion could lead to system crashes or forced reboots.
Mitigation strategies for this vulnerability require immediate kernel updates to versions containing the patched implementation. The fix implements proper reference count management by ensuring that pci_dev_put() is called in all code paths including both normal termination and error conditions of the for_each_pci_dev() loop. This aligns with established security practices and follows the principle of resource management consistency required by security standards such as those outlined in CWE-404, which addresses improper resource release or unbalanced resource management. Organizations should prioritize patching systems running affected kernel versions, particularly those in production environments where resource exhaustion could impact critical operations. The fix demonstrates proper adherence to kernel development best practices and represents a standard approach to preventing resource leaks in kernel subsystems, aligning with ATT&CK techniques related to system resource hijacking and denial of service operations.