CVE-2022-50337: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2022-50337) was identified related to a PCI device refcount leak in the OpenCAPI (ocxl) subsystem when calling the getfunction0() function. The issue was discovered and publicly disclosed on September 15, 2025 (NVD).

The vulnerability occurs because getfunction0() calls pcigetdomainbusandslot(), which returns a PCI device with refcount increment. After using it, pcidevput() needs to be called. The fix involves getting the device reference when getfunction0() is not called, so pcidevput() can be called in the error path and callers unconditionally. Additionally, a comment was added above getdvsecvendor0() to inform callers to call pcidev_put() (NVD).

The vulnerability could lead to memory leaks in the Linux kernel due to improper reference counting of PCI devices. This affects various Linux distributions and their kernel versions, including Ubuntu 22.04 LTS and several other enterprise distributions (Ubuntu).

The vulnerability has been fixed in various Linux distributions. Ubuntu has released patches for affected versions, specifically in version 5.15.0-69.76 for Ubuntu 22.04 LTS (jammy). Similar fixes have been implemented for other affected versions including linux-kvm (5.15.0-1030.35), linux-aws (5.15.0-1033.37), and linux-azure (5.15.0-1035.42) (Ubuntu).