CVE-2022-49119 is a vulnerability identified in the Linux kernel specifically within the SCSI subsystem driver pm8001, which handles communication with certain storage controllers. The issue arises in the function pm8001_chip_fw_flash_update_build(), which is responsible for building firmware update requests for the pm8001 chip. If this function fails during execution, it does not properly free the memory allocated for the struct fw_control_ex, leading to a memory leak. This memory leak occurs because the allocated memory is not released when an error condition is encountered, causing the kernel to consume increasing amounts of memory over time if the failure condition is repeatedly triggered. Although the vulnerability does not directly allow for code execution or privilege escalation, the memory leak can degrade system performance and stability, potentially leading to denial of service (DoS) conditions if exploited at scale or in critical environments. The vulnerability has been addressed by ensuring that the allocated memory is correctly freed in failure scenarios within the pm8001_chip_fw_flash_update_req() function. There are no known exploits in the wild at this time, and no CVSS score has been assigned. The affected Linux kernel versions are identified by specific commit hashes, indicating that this issue is present in certain kernel builds prior to the patch. The vulnerability is technical and low-level, impacting the kernel's memory management during firmware update operations for pm8001 devices.

For European organizations, the primary impact of CVE-2022-49119 lies in potential system instability and resource exhaustion on Linux servers or devices using the pm8001 SCSI driver, which is common in storage controllers for enterprise and data center environments. Organizations relying on Linux-based storage solutions or servers with pm8001 hardware could experience degraded performance or unexpected crashes if the memory leak is triggered repeatedly, potentially disrupting critical business operations. While the vulnerability does not directly compromise confidentiality or integrity, the availability of affected systems could be impaired, leading to operational downtime. This is particularly relevant for sectors with high storage demands such as finance, telecommunications, cloud service providers, and public sector infrastructure in Europe. Given the absence of known exploits, the immediate risk is low, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering of the memory leak. The impact is more pronounced in environments where firmware updates for pm8001 devices are frequent or automated, increasing the likelihood of encountering the failure condition.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability has been patched, ensuring that the fix for proper memory deallocation in pm8001_chip_fw_flash_update_build() is applied. System administrators should audit their environments to identify servers and devices using the pm8001 SCSI driver and verify kernel versions against the patched commits. Additionally, monitoring system memory usage and kernel logs for anomalies related to pm8001 firmware update operations can help detect attempts to trigger the memory leak. Implementing strict controls and validation around firmware update processes can reduce the chance of failure conditions that cause the leak. For environments where immediate patching is not feasible, limiting or disabling automatic firmware updates for pm8001 devices temporarily can mitigate risk. Finally, maintaining robust backup and recovery procedures ensures resilience against potential service disruptions caused by this vulnerability.