#VU104316 Memory leak in Linux kernel - CVE-2022-49619

Vulnerability identifier: #VU104316

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49619

CWE-ID: CWE-401

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the sfp_probe() function in drivers/net/phy/sfp.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.18, 5.18 rc1, 5.18 rc2, 5.18 rc3, 5.18 rc5, 5.18 rc6, 5.18 rc7, 5.18 rc8, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 5.18.5, 5.18.6, 5.18.7, 5.18.8, 5.18.9, 5.18.10, 5.18.11, 5.18.12

---

External links
https://git.kernel.org/stable/c/0a18d802d65cf662644fd1d369c86d84a5630652
https://git.kernel.org/stable/c/1545bc727625ea6e8decd717e5d1e8cc704ccf8f
https://git.kernel.org/stable/c/204543581a2f26bb3b997a304c0bd06926ba7f15
https://git.kernel.org/stable/c/67dc32542a1fb7790d0853cf4a5cf859ac6a2002
https://git.kernel.org/stable/c/9ec5a97f327a89031fce6cfc3e95543c53936638
https://git.kernel.org/stable/c/ede990cfc42775bd0141e21f37ee365dcaeeb50f
https://git.kernel.org/stable/c/f22ddc8a5278d7fb6369a0aeb0d8775a0aefaaee
https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.13

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.