CVE-2022-49190

kernel/resource: fix kfree() of bootmem memory again

Description

In the Linux kernel, the following vulnerability has been resolved: kernel/resource: fix kfree() of bootmem memory again Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory"), we could get a resource allocated during boot via alloc_resource(). And it's required to release the resource using free_resource(). Howerver, many people use kfree directly which will result in kernel BUG. In order to fix this without fixing every call site, just leak a couple of bytes in such corner case.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/3379a60f6bb4afcd9c456e340ac525ae649d3ce7
https://git.kernel.org/stable/c/a9e88c2618d228d7a4e7e515cf30dc0d0d813f27 patch
https://git.kernel.org/stable/c/d7faa04a44a0c37ac3d222fa8e0bdcbfcee9c0c8 patch
https://git.kernel.org/stable/c/ab86020070999e758ce2e60c4348f20bf7ddba56 patch
https://git.kernel.org/stable/c/0cbcc92917c5de80f15c24d033566539ad696892 patch

Frequently Asked Questions

What is the severity of CVE-2022-49190?
CVE-2022-49190 has been scored as a medium severity vulnerability.
How to fix CVE-2022-49190?
To fix CVE-2022-49190, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-49190 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-49190 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-49190?
CVE-2022-49190 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.