CVE-2022-49682: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-49682 is a vulnerability discovered in the Linux kernel affecting the xtensa architecture's time calibration functionality. The issue was disclosed on February 26, 2025, and involves a reference counting leak in the calibrate_ccount() function within the time.c file (NVD).

The vulnerability stems from a reference counting issue in the Linux kernel's xtensa architecture implementation. Specifically, in the calibrateccount() function, the offindcompatiblenode() function returns a node pointer with an incremented reference count, but the code failed to properly release this reference using ofnodeput() when it was no longer needed. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a reference count leak in the Linux kernel's xtensa architecture implementation. While the direct impact is a memory leak, this could potentially lead to resource exhaustion over time, affecting system availability (NVD).

The vulnerability has been fixed through a patch that adds the missing ofnodeput() call in the calibrate_ccount() function. The fix has been implemented across multiple Linux kernel versions, including fixes for version 4.15.0 through 6.1.x. Various Linux distributions have released updated kernel packages incorporating this fix (Debian Security).