CVE-2022-49011: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49011 is a memory management vulnerability in the Linux kernel's hardware monitoring (hwmon) subsystem, specifically in the coretemp driver. The vulnerability was discovered and disclosed in 2022, affecting Linux kernel versions from 3.14 through 6.1-rc7. The issue occurs in the nv1a_ram_new() function where a PCI device reference count is not properly decremented after use (NVD).

The vulnerability stems from a counting logic flaw in the Linux kernel's coretemp driver. When pci_get_domain_bus_and_slot() is called, it returns a PCI device with an incremented reference count. The function fails to properly decrement this reference count by calling pci_dev_put() after use, leading to a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Red Hat).

The vulnerability results in a memory leak due to improper reference counting, which can lead to resource exhaustion over time. This can potentially affect system availability and performance. The issue is classified as CWE-401: Missing Release of Memory after Effective Lifetime (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that properly decrements the PCI device reference count by calling pci_dev_put() after use. The fix has been backported to various stable kernel versions. For RHEL systems, the fix is included in RHEL-9.4 and above (Red Hat).