CVE-2022-48975: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48975 is a memory leak vulnerability discovered in the Linux kernel's GPIO (General Purpose Input/Output) subsystem. The issue specifically affects the gpiochip_setup_dev() function, where a memory leak occurs when device_add() succeeds but resources are not properly released. The vulnerability was disclosed on October 21, 2024, and affects Linux kernel versions from 4.6 up to versions before 5.15.83, from 5.16 up to versions before 6.0.13, and various release candidates of version 6.1 (NVD).

The vulnerability stems from improper resource management in the GPIO subsystem. When gcdev_register() and gcdev_unregister() call device_add() and device_del() respectively, resources allocated by device_private_init() (including struct device_private) are not properly released after device_add() succeeds. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required with low attack complexity (NVD).

The vulnerability results in memory leaks in the Linux kernel's GPIO subsystem. When triggered, it can lead to resource exhaustion over time, potentially affecting system stability and performance. The CVSS score indicates that while the vulnerability doesn't impact confidentiality or integrity, it can have a high impact on system availability (NVD).

The vulnerability has been fixed through patches that modify the resource release mechanism in gpiochip_setup_dev(). The fix moves forward the register of release function and uses put_device() to release resources instead of kfree(). Additionally, it addresses a subtle issue related to memory allocation when gc->ngpio is zero (Kernel Patch).