CVE-2022-49239 is a vulnerability identified in the Linux kernel, specifically within the ALSA System on Chip (ASoC) codec driver for the wcd934x audio codec. The issue arises from a missing call to of_node_put(), which is necessary to decrement the reference count of a device_node pointer obtained via of_parse_phandle(). The device_node pointer is returned with an incremented reference count, and failing to call of_node_put() after use results in a reference count leak. This leak can cause resource exhaustion over time, potentially leading to degraded system performance or instability. The vulnerability is similar to a previously addressed issue in the wcd9335 codec driver, where a missing of_node_put() call was fixed to prevent a leaked reference. The root cause is a resource management flaw rather than a direct memory corruption or privilege escalation bug. No known exploits are currently reported in the wild, and no CVSS score has been assigned. The affected Linux kernel versions are identified by a specific commit hash, indicating the vulnerability is present in certain kernel builds prior to patching. The fix involves adding the missing of_node_put() call to properly release the device_node reference after parsing codec data.

For European organizations relying on Linux-based systems, particularly those using embedded devices or systems with the wcd934x audio codec (common in mobile and IoT devices), this vulnerability could lead to gradual resource leaks. Over extended periods, this may cause system instability or crashes, impacting availability of critical services. While the vulnerability does not directly enable privilege escalation or data leakage, the resulting instability could disrupt operations, especially in environments where uptime and reliability are critical, such as telecommunications infrastructure, industrial control systems, or healthcare devices. The impact is more pronounced in devices with limited resources where reference leaks can quickly exhaust available memory or kernel objects. Since the vulnerability is in a low-level kernel driver, it affects a broad range of Linux distributions and devices using affected kernel versions. However, the absence of known exploits and the nature of the flaw suggest the immediate risk is moderate, primarily affecting system stability rather than confidentiality or integrity.

European organizations should ensure that all Linux systems, especially those running on embedded platforms or using the wcd934x codec, are updated to the latest kernel versions where this vulnerability is patched. Specifically, kernel updates that include the fix adding the missing of_node_put() call should be applied promptly. For devices where kernel updates are not immediately feasible, monitoring system logs and resource usage for signs of reference leaks or instability is recommended. Organizations should also implement robust patch management processes to track and deploy kernel updates. For critical infrastructure, consider isolating affected devices or employing redundancy to mitigate potential downtime. Additionally, vendors of embedded devices should be engaged to provide updated firmware incorporating the patched kernel. Since this is a resource leak issue, standard security controls like access restrictions and intrusion detection will not prevent the vulnerability but can help detect anomalous system behavior resulting from exploitation attempts or system degradation.