CVE-2022-48907: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48907 is a memory leak vulnerability discovered in the Linux kernel's auxdisplay subsystem, specifically in the lcd2s driver. The vulnerability was disclosed in August 2024 and affects Linux kernel versions from 5.11 up to versions before 5.15.27, and from 5.16 up to versions before 5.16.13, as well as several 5.17 release candidates (NVD).

The vulnerability occurs in the lcd2s driver where the struct lcd2s_data is allocated but never freed when the device is removed. This memory leak was introduced in the original implementation of the lcd2s character display driver. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (NVD).

The vulnerability can lead to resource exhaustion over time, as repeated loading and unloading of the lcd2s driver results in increased memory usage. This continuous memory leak could potentially impact system performance and stability through gradual memory depletion (Red Hat).

The vulnerability has been fixed by switching to devm_kzalloc() for memory allocation. The fix has been implemented through patches in the Linux kernel, which properly handle the memory allocation and deallocation process (Kernel Patch).