CVE-2022-49729: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49729 is a memory leak vulnerability discovered in the Linux kernel's NFC (Near Field Communication) subsystem, specifically in the nfcmrvl driver's play_deferred function. The vulnerability was disclosed on February 26, 2025, affecting various versions of the Linux kernel (NVD).

The vulnerability occurs in the nfcmrvlplaydeferred function where USB URBs (USB Request Blocks) are handled incorrectly. The issue arises when usbsubmiturb is called directly to submit deferred tx urbs after unanchoring them, causing usbgivebackurbbh to fail to unreference it in usbunanchor_urb, resulting in a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability leads to memory leaks in the Linux kernel's NFC subsystem, which could potentially result in system resource exhaustion over time. While the vulnerability doesn't allow for information disclosure or system compromise, it affects system availability by gradually consuming memory resources (NVD).

The vulnerability has been fixed by modifying the URB handling in the nfcmrvlplaydeferred function. The fix involves putting the URBs in tx_anchor to prevent the memory leak and implementing proper error handling. The patch has been integrated into various Linux kernel versions (Kernel Patch).