CVE-2022-49648: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49648 affects the Linux kernel's tracing/histograms functionality. The vulnerability was discovered in 2022 and involves a memory leak issue in the histogram tracing subsystem. The problem occurs when allocating vardefs.expr fails, leading to improper cleanup of vardefs.name memory allocations (NVD).

The vulnerability stems from a regression introduced by commit 46bbe5c671e0 ("tracing: fix double free"). When allocating the N-th vardefs.expr fails, the N-th vardefs.name is not properly freed, while names from 0th to (N-1)-th are freed in freevardefs(). This creates a memory leak condition that can be detected using CONFIGDEBUGKMEMLEAK. The issue has a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability results in memory leaks when using histogram triggers in the Linux kernel tracing system. When triggered, it can lead to gradual memory exhaustion in the kernel. This is particularly concerning for long-running systems where the leaked memory can accumulate over time (NVD).

The issue has been fixed by reverting commit 46bbe5c671e0 and implementing proper memory cleanup in the parsevardefs function. The fix ensures that when vardefs.expr allocation fails, the corresponding vardefs.name is properly freed. The patch has been merged into various stable kernel versions (Kernel Patch).