CVE-2022-49906: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49906 is a vulnerability discovered in the Linux kernel's ibmvnic driver. The issue was disclosed on May 1, 2025, affecting Linux kernel versions from 5.14 up to 6.0.8. The vulnerability stems from improper memory management in the ibmvnic driver's reset functionality (NVD).

The vulnerability occurs in the handling of rwi (reset work item) structures within the ibmvnic driver. Specifically, the issue was introduced by commit 4f408e1fa6e1 ('ibmvnic: retry reset if there are no other resets'), which fails to properly free the rwi structure when the last rwi in the list is processed successfully. This results in a 32-byte memory leak each time this condition is met. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Wiz).

The primary impact of this vulnerability is a memory leak of 32 bytes each time the specific condition is triggered. While the immediate impact per occurrence is relatively small, repeated triggers could lead to cumulative memory consumption over time, potentially affecting system stability and performance (Wiz).

The vulnerability has been fixed in various Linux distributions. Ubuntu has released patches for affected versions, including Ubuntu 22.04 LTS (linux 5.15.0-60.66), Ubuntu 20.04 LTS (linux-hwe-5.15 5.15.0-60.66~20.04.1), and other supported versions. Red Hat has deferred fixes for RHEL 9. Users are advised to update their systems to the patched versions (Ubuntu, Red Hat).