CVE-2022-50278: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50278 is a vulnerability discovered in the Linux kernel related to a memory leak in the PNP (Plug and Play) subsystem. The issue was publicly disclosed on September 15, 2025, and affects the pnp_alloc_dev() function. The vulnerability emerged after commit 1fa5ae857bb1 which changed how device names are handled in the driver core (NVD).

The vulnerability occurs in the PNP subsystem of the Linux kernel where a memory leak exists in the pnp_alloc_dev() function. The issue arose when the device name allocation was changed to be dynamic following a modification to the driver core that removed the struct device's bus_id string array. The technical fix involves moving the dev_set_name() call to occur after pnp_add_id() to prevent the memory leak. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability results in a memory leak condition in the Linux kernel's PNP subsystem. While the impact is limited to local systems and does not allow for information disclosure or system compromise, it could potentially lead to system resource degradation over time through memory exhaustion (Red Hat).

The vulnerability has been fixed in various Linux distributions through security updates. Ubuntu has released fixes across multiple versions including 22.04 LTS (5.15.0-69.76), 20.04 LTS (5.4.0-144.161), and 18.04 LTS (4.15.0-208.220). Similar fixes have been deployed for specialized kernel variants such as linux-aws, linux-azure, and linux-gcp (Ubuntu).