CVE-2022-50267: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50267 is a vulnerability discovered in the Linux kernel, specifically affecting the mmc subsystem's rtsx_pci component. The vulnerability was publicly disclosed in September 2025 and affects various Linux distributions and their kernel versions (NVD, Ubuntu).

The vulnerability stems from improper return value checking of the mmcaddhost() function in the rtsxpci driver. When mmcaddhost() returns an error, the memory allocated by mmcalloc_host() is not properly freed, leading to a memory leak. Additionally, this can cause a kernel crash when attempting to delete a device that was not properly added in the remove path (NVD).

The vulnerability can result in memory leaks and potential kernel crashes, affecting system stability and reliability. This impacts various Linux distributions including Ubuntu 22.04 LTS and other versions running affected kernel versions (Ubuntu).

Multiple Linux distributions have released fixes for this vulnerability. Ubuntu has addressed the issue in various kernel versions, including linux-5.15.0-69.76 for 22.04 LTS and linux-5.15.0-69.76~20.04.1 for 20.04 LTS. The fix involves properly checking the return value of mmcaddhost() and calling mmcfreehost() in the error path, along with disabling runtime PM (Ubuntu).