CVE-2022-49717: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-49717 is a vulnerability discovered in the Linux kernel's irqchip/apple-aic component, specifically related to a refcount leak in the buildfiqaffinity function. The issue was identified and disclosed in February 2025, affecting Linux kernel versions from 5.18 up to but not including 5.18.6, as well as versions 5.19-rc1 and 5.19-rc2 (NVD).

The vulnerability stems from a missing ofnodeput() call in the buildfiqaffinity function within the Apple AIC (Advanced Interrupt Controller) driver. The offindnodebyphandle() function returns a node pointer with an incremented refcount, which should be decremented using ofnodeput() when no longer needed. This oversight leads to a reference count leak. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The refcount leak in the Linux kernel's interrupt handling system could potentially lead to resource exhaustion over time, affecting system stability and availability. The vulnerability specifically impacts systems using the Apple AIC driver (NVD).

The vulnerability has been fixed by adding the missing ofnodeput() call to properly release the reference count. The fix was implemented in the Linux kernel through commit b1ac803f47cb1615468f35cf1ccb553c52087301. Users are advised to upgrade to patched versions of the kernel (Kernel Patch).