CVE-2022-49860: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2022-49860) was identified in the Linux kernel's DMA engine subsystem, specifically in the TI K3 UDMA glue code. The vulnerability was discovered and disclosed on May 1, 2025, affecting Linux kernel versions from 5.11 up to 5.15.79 and from 5.16 up to 6.0.9. The issue occurs when device registration fails, where the system fails to properly release device references (NVD).

The vulnerability exists in the device registration process where if deviceregister() fails, the system fails to call putdevice() to release the reference. The name allocated in devsetname() remains in memory without being properly freed, though it could be handled by the kobject_cleanup() callback function. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD, Wiz).

The primary impact of this vulnerability is a memory leak in the Linux kernel's DMA engine subsystem. This could potentially lead to resource exhaustion over time, affecting system performance and stability. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on system availability (Wiz).

The vulnerability has been addressed through a patch in the Linux kernel. The fix ensures proper cleanup by calling putdevice() when device registration fails, allowing the allocated name to be freed through the kobjectcleanup() callback function. Various Linux distributions have either implemented fixes or deferred fixes, with Red Hat Enterprise Linux 9 having deferred the fix for both kernel and kernel-rt packages (Red Hat).