Linux Kernel up to 5.10.110/5.15.33/5.16.19/5.17.2 pm8001_chip_fw_flash_update_req memory leak

Summaryinfo

A vulnerability, which was classified as critical, was found in Linux Kernel up to 5.10.110/5.15.33/5.16.19/5.17.2. This affects the function pm8001_chip_fw_flash_update_req. Such manipulation leads to memory leak. This vulnerability is traded as CVE-2022-49119. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 5.10.110/5.15.33/5.16.19/5.17.2. It has been rated as critical. Affected by this issue is the function pm8001_chip_fw_flash_update_req. The manipulation with an unknown input leads to a memory leak vulnerability. Using CWE to declare the problem leads to CWE-401. The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. Impacted is availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req() In pm8001_chip_fw_flash_update_build(), if pm8001_chip_fw_flash_update_build() fails, the struct fw_control_ex allocated must be freed.

The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2022-49119 since 02/26/2025. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 234545 (SUSE SLES12 Security Update : kernel (SUSE-SU-2025:1293-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.10.111, 5.15.34, 5.16.20 or 5.17.3 eliminates this vulnerability. Applying the patch d83574666bac4b1462e90df393fbed6c5f57d1a3/e5ecdb01952f230921aa8163d8d7f4c97c925ed8/fe5b8ea5583b5c3f6f68e06acba50387edf3b5d5/a25ed5f21f94f9ae4bcc8dd747e978668890c921/f792a3629f4c4aa4c3703d66b43ce1edcc3ec09a is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (234545). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.10.110
• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 5.15.9
• 5.15.10
• 5.15.11
• 5.15.12
• 5.15.13
• 5.15.14
• 5.15.15
• 5.15.16
• 5.15.17
• 5.15.18
• 5.15.19
• 5.15.20
• 5.15.21
• 5.15.22
• 5.15.23
• 5.15.24
• 5.15.25
• 5.15.26
• 5.15.27
• 5.15.28
• 5.15.29
• 5.15.30
• 5.15.31
• 5.15.32
• 5.15.33
• 5.16.0
• 5.16.1
• 5.16.2
• 5.16.3
• 5.16.4
• 5.16.5
• 5.16.6
• 5.16.7
• 5.16.8
• 5.16.9
• 5.16.10
• 5.16.11
• 5.16.12
• 5.16.13
• 5.16.14
• 5.16.15
• 5.16.16
• 5.16.17
• 5.16.18
• 5.16.19
• 5.17.0
• 5.17.1
• 5.17.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion