CVE-2022-50269: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability was discovered in the Linux kernel's drm/vkms module, identified as CVE-2022-50269. The issue occurs when the vkms module installation fails, specifically in the vkms_init() function. The vulnerability was disclosed on September 15, 2025, affecting the Linux kernel's Virtual Kernel Mode Setting (VKMS) driver (NVD).

The vulnerability stems from the vkmsinit() function not properly checking the return value of vkmscreate(). When vkmscreate() fails, the config allocated at the beginning of vkmsinit() is leaked. The technical flow shows that config is allocated using kmalloc(), but if vkms_create() fails, the function returns without freeing the allocated memory, resulting in a memory leak. This was confirmed by a backtrace showing the leak occurring in the modprobe process (RedHat).

The vulnerability results in a memory leak of 16 bytes when the VKMS module installation fails. While the immediate impact is relatively small, repeated failures could lead to cumulative memory leaks in the system. According to Red Hat's assessment, the vulnerability has been assigned a CVSS v3.1 base score of 5.5, indicating a moderate severity level (RedHat).

The issue has been fixed by implementing a proper check for the return value of vkms_create() and adding code to free the config if an error occurs. Red Hat has marked this for deferred fixes in Red Hat Enterprise Linux 8 and 9 (RedHat).