CVE-2022-49188 is a vulnerability identified in the Linux kernel's remoteproc subsystem, specifically within the qcom_q6v5_mss driver responsible for managing Qualcomm Hexagon DSP memory regions. The issue arises from improper reference counting management of device_node pointers obtained via of_parse_phandle() or of_get_child_by_name(). These functions increment the reference count of device_node pointers, which must be decremented using of_node_put() once the pointer is no longer needed. The vulnerability is due to the function q6v5_alloc_memory_region only calling of_node_put(node) when of_address_to_resource() succeeds, neglecting to release the reference in error cases. This leads to memory leaks as the reference count is not properly decremented, causing resource exhaustion over time. While the vulnerability does not directly allow code execution or privilege escalation, the memory leak can degrade system stability and availability, particularly on devices relying on this driver. The issue affects specific Linux kernel versions identified by the commit hash 051fb70fd4ea40fbc7139186a4890b2fe5cb1e76. No known exploits are currently reported in the wild, and no CVSS score has been assigned. The fix involves ensuring that of_node_put() is called in all code paths, including error handling, to properly manage reference counts and prevent leaks.

For European organizations, the primary impact of CVE-2022-49188 lies in potential system instability and reduced availability of Linux-based devices utilizing Qualcomm Hexagon DSPs managed by the affected driver. This is particularly relevant for embedded systems, telecommunications infrastructure, and IoT devices that run custom Linux kernels with this driver. Memory leaks can accumulate over time, leading to degraded performance, crashes, or forced reboots, which could disrupt critical services or operations. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect operational continuity, especially in industrial control systems, network equipment, or edge computing devices prevalent in sectors such as manufacturing, telecommunications, and critical infrastructure. The absence of known exploits reduces immediate risk; however, unpatched systems remain vulnerable to potential future exploitation or denial-of-service conditions caused by resource exhaustion.

European organizations should prioritize updating Linux kernels to versions that include the patch fixing CVE-2022-49188. Specifically, kernel maintainers and system administrators should verify that the qcom_q6v5_mss driver has been updated to correctly call of_node_put() in all code paths, including error handling. For embedded and IoT devices where kernel updates may be challenging, organizations should engage with device vendors to obtain patched firmware or kernel versions. Monitoring system logs for signs of memory leaks or resource exhaustion related to the remoteproc subsystem can provide early detection of issues. Additionally, implementing robust system resource monitoring and automated reboot policies can mitigate availability impacts while patches are deployed. Network segmentation and limiting access to devices running affected kernels can reduce exposure. Finally, organizations should maintain an inventory of devices using Qualcomm Hexagon DSPs and assess their kernel versions to prioritize patching efforts.