CVE-2022-49609: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49609 is a vulnerability in the Linux kernel affecting the power/reset functionality for ARM versatile systems. The vulnerability was discovered in the versatile_reboot_probe function where a reference count leak occurs due to missing node cleanup. The issue was disclosed in February 2025 and affects Linux kernel versions from 3.18 to versions before 4.9.325 (NVD).

The vulnerability stems from improper reference counting in the ARM versatile reboot driver. Specifically, the of_find_matching_node_and_match() function returns a node pointer with an incremented reference count, but the code failed to call of_node_put() to decrement the count when the node is no longer needed. This results in a reference count leak in the versatile_reboot_probe function. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The reference count leak could lead to memory resource exhaustion over time as system resources are not properly freed. While there is no direct impact on confidentiality or integrity, the availability of the system could be affected due to the accumulation of leaked resources (NVD).

The vulnerability has been fixed by adding the missing of_node_put(np) call to properly release the node reference when it's no longer needed. The fix has been implemented in the Linux kernel through a patch that adds the necessary cleanup code (Kernel Patch). Users should update to patched kernel versions to mitigate this issue.