CVE-2022-49237: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49237 affects the Linux kernel's ath11k driver. The vulnerability was discovered in 2022 and involves a memory leak caused by missing ofnodeput() calls in the driver code. The issue specifically affects the node pointer handling returned by offindnodebytype() or ofparsephandle() functions where the reference count was not properly decremented (Debian Security).

The vulnerability stems from improper reference counting in the ath11k driver's memory management. When the node pointer is returned by offindnodebytype() or ofparsephandle() functions, its reference count is incremented, but the code failed to call ofnodeput() to decrement the count, resulting in a memory leak. The issue was introduced by commit 6ac04bdc5edb titled "ath11k: Use reserved host DDR addresses from DT for PCI devices" and was fixed in Linux kernel version 5.18-rc1 (Kernel Git).

The vulnerability results in a memory leak in the Linux kernel's ath11k driver. While memory leaks can gradually consume system resources, this particular issue has relatively low severity as it only affects systems using the ath11k wireless driver and requires specific conditions to trigger (Debian Security).

The issue has been fixed in Linux kernel version 5.18-rc1 with commit 3d38faef0de1. The fix adds the missing ofnodeput() calls in the affected code paths. Users should upgrade to a kernel version containing this fix. For Debian users, fixed versions are available in bullseye (5.10.234-1), bookworm (6.1.128-1), and sid/trixie (6.12.17-1) (Debian Security).