CVE-2022-49803: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2022-49803) was identified in the Linux kernel's netdevsim module. The vulnerability was discovered and disclosed on May 1, 2025, affecting the Linux kernel's netdevsim driver component. The issue specifically involves a memory leak of nsimdev->facookie in the netdevsim driver (NVD CVE, Wiz Security).

The vulnerability occurs in the nsimdevtrapfacookiewrite() function where memory is allocated using kmalloc() for facookie and assigned to nsimdev->facookie, but this allocated memory is not properly freed in nsimdrvremove(). The issue was confirmed through kmemleak which reported an unreferenced object at address 0xffff8881bac872d0 with a size of 8 bytes. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat Security, Debian Security).

The vulnerability results in a memory leak in the Linux kernel's netdevsim module, which could potentially lead to resource exhaustion over time if repeatedly triggered. The impact is considered moderate, primarily affecting system availability without compromising confidentiality or integrity (Wiz Security, Red Hat Security).

The fix involves adding kfree(nsimdev->facookie) to the nsimdrvremove() function to properly free the allocated memory. This ensures proper cleanup when the driver is removed. The fix has been implemented in various Linux distributions, with Debian 12 and 13 having fixes available, while some versions like Red Hat Enterprise Linux 8, 9 and Ubuntu 16.04 through 22.04 are still pending fixes (Debian Security, Wiz Security).