CVE-2022-49949: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a memory leak vulnerability (CVE-2022-49949) was discovered in the firmware loader component. The issue occurs when an instance of struct fwupload is allocated in firmwareuploadregister() but fails to be properly freed in fwdevrelease(). This vulnerability was identified and resolved through the creation of a new fwuploadfree() function in sysfsupload.c to handle firmware-upload specific memory frees and incorporate the missing kfree call for the fw_upload structure (NVD, Debian Tracker).

The vulnerability stems from a memory management issue in the Linux kernel's firmware loader component. Specifically, when firmware-upload operations are performed, the system allocates an instance of struct fwupload during the firmwareuploadregister() process. However, the corresponding deallocation was missing in the fwdevrelease() function, leading to a memory leak. The fix involved implementing a new fwuploadfree() function in sysfsupload.c to properly manage memory deallocation (NVD).

The primary impact of this vulnerability is a memory leak in the Linux kernel's firmware upload functionality. Over time, if the affected code path is repeatedly triggered, this could potentially lead to resource exhaustion (Wiz).

The vulnerability has been patched in various Linux distributions. Fixed versions are available in Debian distributions: bullseye (5.10.237-1), bookworm (6.1.140-1), and trixie (6.12.31-1). Users are advised to update their systems to these patched versions to mitigate the vulnerability (Debian Tracker).