CVE-2022-50457: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50457 is a vulnerability discovered in the Linux kernel affecting the Memory Technology Device (MTD) subsystem. The issue was published on October 1, 2025, and involves a refcount error in the delmtddevice() function (NVD, RedHat).

The vulnerability stems from an incorrect sequence of operations in the delmtddevice() function. Specifically, the function calls memset(&mtd->dev, 0) before calling ofnodeput(), which clears the mtd->dev.ofnode pointer before it can be properly dereferenced. This results in ofnodeput() receiving a NULL pointer, causing it to skip the necessary reference count decrease operation. The issue manifests as a reference counting error where the expected refcount should be 1 but remains at 2, indicating an unbalanced ofnodeget()/ofnode_put() pair (RedHat). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The primary impact of this vulnerability is a memory leak in the system due to the improper reference counting. When triggered, it results in an error message indicating 'OF: ERROR: memory leak, expected refcount 1 instead of 2, ofnodeget()/ofnodeput() unbalanced' (NVD).

The issue has been resolved by modifying the delmtddevice() function to cache the pointer of the device_node before clearing the device structure with memset. This ensures proper reference counting and prevents the memory leak (NVD).