CVE-2022-49150 is a vulnerability identified in the Linux kernel related to the handling of reference counts within the Real-Time Clock (RTC) subsystem, specifically the GameCube RTC driver. The issue arises from improper management of reference counting in the function of_find_compatible_node(), which returns a device tree node pointer with an incremented reference count. The vulnerability is due to the failure to call of_node_put() to decrement the reference count after usage, resulting in a reference count leak. This leak occurs in the gamecube_rtc_read_offset_from_sram function, which reads the RTC offset from SRAM. The root cause is a missing call to of_node_put(), which should release the node reference once it is no longer needed. While this vulnerability does not directly lead to memory corruption or code execution, the reference count leak can cause a gradual resource exhaustion in the kernel, potentially leading to degraded system performance or instability over time. Since the Linux kernel is widely used across numerous distributions and devices, this vulnerability affects any system running the affected kernel versions that include the GameCube RTC driver. The vulnerability has been publicly disclosed and patched, but no known exploits are currently reported in the wild. The lack of a CVSS score indicates that the vulnerability is not considered immediately critical but still requires attention to prevent potential long-term reliability issues.

For European organizations, the impact of CVE-2022-49150 is primarily related to system stability and reliability rather than direct compromise of confidentiality or integrity. Systems running Linux kernels with the affected GameCube RTC driver may experience resource leaks leading to kernel memory exhaustion or performance degradation over time. This can affect servers, embedded devices, or specialized hardware that rely on this driver. While the vulnerability does not enable direct remote code execution or privilege escalation, the resulting instability could disrupt critical services or operations, especially in environments where uptime and reliability are paramount, such as industrial control systems, telecommunications infrastructure, or data centers. European organizations with Linux-based infrastructure should consider this vulnerability in their risk assessments, particularly if they use custom or older kernel versions that might include the vulnerable code. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or cumulative system degradation.

To mitigate CVE-2022-49150, European organizations should: 1) Apply the official Linux kernel patches that fix the reference count leak by adding the missing of_node_put() call in the gamecube_rtc_read_offset_from_sram function. 2) Review and update Linux kernel versions to the latest stable releases that include this fix, especially on systems using the GameCube RTC driver or related device tree nodes. 3) Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before deployment in production. 4) Monitor system logs and kernel metrics for signs of resource leaks or performance degradation that could indicate unpatched vulnerabilities. 5) For embedded or specialized devices, coordinate with hardware vendors to obtain firmware or kernel updates addressing this issue. 6) Implement proactive kernel memory monitoring and alerting to detect abnormal resource consumption early. 7) Maintain an inventory of Linux kernel versions and configurations across the organization to identify potentially affected systems. These steps go beyond generic advice by focusing on targeted patching, monitoring, and vendor coordination specific to this reference count leak vulnerability.