CVE-2022-48863: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48863 is a memory leak vulnerability discovered in the Linux kernel's mISDN (modular ISDN) driver, specifically in the dsppipelinebuild() function. The vulnerability was identified by the Linux Driver Verification project using SVACE tool and was publicly disclosed on July 16, 2024. This issue affects Linux kernel versions from 2.6.27 up to versions before 5.10.106, from 5.11 up to versions before 5.15.29, and from 5.16 up to versions before 5.16.15 (NVD).

The vulnerability occurs in the dsppipelinebuild() function within the mISDN driver. The function allocates a 'dup' pointer using kstrdup(cfg), but then updates the dup variable using strsep(&dup, "|"). As a result, when kfree(dup) is called, the dup variable contains NULL, leading to a memory leak. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a memory leak in the Linux kernel's mISDN driver. While there are no direct confidentiality or integrity impacts, the availability of the system could be compromised through resource exhaustion due to the memory leak (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves modifying the dsppipelinebuild() function to maintain a reference to the original allocated memory. Updates are available for various distributions including Ubuntu 20.04 LTS (5.4.0-196.216), Ubuntu 18.04 LTS (4.15.0-229.241), and Ubuntu 16.04 LTS (4.4.0-259.293) (Ubuntu Security).