CVE-2022-48975: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable.
AI Analysis
Technical Summary
CVE-2022-48975 addresses a memory leak vulnerability in the Linux kernel's GPIO subsystem, specifically within the gpiochip_setup_dev() function. The issue arises during the registration and unregistration of GPIO character devices (gcdev_register and gcdev_unregister). When device_add() succeeds, the associated resources, such as struct device_private allocated by device_private_init(), are not properly released by device_del(). This leads to a memory leak because put_device() is not called in the error handling path after device_add() succeeds. Additionally, the vulnerability includes a suboptimal handling of the gc->ngpio parameter when it is zero. In this case, kcalloc() is still called, and if an error occurs, kfree() is called on a ZERO_PTR pointer, which is not NULL. While not a direct bug, this behavior wastes resources and may cause incorrect assumptions about the contents of the gdev->descs variable. The fix involves moving the registration of the release function forward and ensuring that put_device() is called to release all allocated resources instead of directly calling kfree(). This vulnerability is a resource management flaw that could lead to a gradual increase in kernel memory usage, potentially affecting system stability over time. It does not appear to be exploitable for privilege escalation or code execution, and no known exploits are reported in the wild as of now.
Potential Impact
For European organizations, the impact of this vulnerability is primarily related to system stability and reliability rather than direct compromise of confidentiality or integrity. Systems running affected Linux kernel versions that utilize GPIO character devices could experience memory leaks, which may lead to degraded performance or eventual system crashes if the leak is sustained over time. This is particularly relevant for embedded systems, industrial control systems, IoT devices, and other specialized hardware platforms common in manufacturing, automotive, telecommunications, and critical infrastructure sectors prevalent in Europe. Organizations relying on Linux-based systems for operational technology (OT) or edge computing should be aware that prolonged uptime without patching could result in service interruptions. Although this vulnerability does not enable direct remote exploitation or privilege escalation, the indirect effects on availability could disrupt business operations and critical services, especially in environments where uptime and reliability are paramount.
Mitigation Recommendations
To mitigate CVE-2022-48975, organizations should prioritize updating their Linux kernel to a version that includes the fix for this memory leak vulnerability. Kernel patches addressing this issue have been published and should be applied promptly. For environments where immediate patching is not feasible, monitoring system memory usage related to GPIO device management can help detect abnormal resource consumption early. Administrators should audit the usage of GPIO character devices and consider disabling or limiting their use if not required. Additionally, implementing robust system monitoring and alerting for kernel memory leaks or unusual device registration failures can provide early warning signs. For embedded and IoT devices, coordinate with hardware vendors to obtain updated firmware or kernel versions incorporating the fix. Finally, ensure that development and testing environments include this patch to prevent introduction of the vulnerability in custom Linux kernel builds.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2022-48975: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable.
AI-Powered Analysis
Technical Analysis
CVE-2022-48975 addresses a memory leak vulnerability in the Linux kernel's GPIO subsystem, specifically within the gpiochip_setup_dev() function. The issue arises during the registration and unregistration of GPIO character devices (gcdev_register and gcdev_unregister). When device_add() succeeds, the associated resources, such as struct device_private allocated by device_private_init(), are not properly released by device_del(). This leads to a memory leak because put_device() is not called in the error handling path after device_add() succeeds. Additionally, the vulnerability includes a suboptimal handling of the gc->ngpio parameter when it is zero. In this case, kcalloc() is still called, and if an error occurs, kfree() is called on a ZERO_PTR pointer, which is not NULL. While not a direct bug, this behavior wastes resources and may cause incorrect assumptions about the contents of the gdev->descs variable. The fix involves moving the registration of the release function forward and ensuring that put_device() is called to release all allocated resources instead of directly calling kfree(). This vulnerability is a resource management flaw that could lead to a gradual increase in kernel memory usage, potentially affecting system stability over time. It does not appear to be exploitable for privilege escalation or code execution, and no known exploits are reported in the wild as of now.
Potential Impact
For European organizations, the impact of this vulnerability is primarily related to system stability and reliability rather than direct compromise of confidentiality or integrity. Systems running affected Linux kernel versions that utilize GPIO character devices could experience memory leaks, which may lead to degraded performance or eventual system crashes if the leak is sustained over time. This is particularly relevant for embedded systems, industrial control systems, IoT devices, and other specialized hardware platforms common in manufacturing, automotive, telecommunications, and critical infrastructure sectors prevalent in Europe. Organizations relying on Linux-based systems for operational technology (OT) or edge computing should be aware that prolonged uptime without patching could result in service interruptions. Although this vulnerability does not enable direct remote exploitation or privilege escalation, the indirect effects on availability could disrupt business operations and critical services, especially in environments where uptime and reliability are paramount.
Mitigation Recommendations
To mitigate CVE-2022-48975, organizations should prioritize updating their Linux kernel to a version that includes the fix for this memory leak vulnerability. Kernel patches addressing this issue have been published and should be applied promptly. For environments where immediate patching is not feasible, monitoring system memory usage related to GPIO device management can help detect abnormal resource consumption early. Administrators should audit the usage of GPIO character devices and consider disabling or limiting their use if not required. Additionally, implementing robust system monitoring and alerting for kernel memory leaks or unusual device registration failures can provide early warning signs. For embedded and IoT devices, coordinate with hardware vendors to obtain updated firmware or kernel versions incorporating the fix. Finally, ensure that development and testing environments include this patch to prevent introduction of the vulnerability in custom Linux kernel builds.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.631Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe67c2
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:42:07 AM
Last updated: 8/8/2025, 5:43:56 PM
Views: 17
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.