CVE-2022-49454 is a vulnerability identified in the Linux kernel specifically related to the PCI Mediatek subsystem. The issue arises from a refcount leak in the function mtk_pcie_subsys_powerup(). The root cause is that the function of_find_compatible_node() returns a node pointer with its reference count incremented, but the code fails to call of_node_put() to decrement the reference count once the node is no longer needed. This omission leads to a reference count leak, which can cause resource exhaustion over time. Although this vulnerability does not directly allow code execution or privilege escalation, the leak of kernel references can degrade system stability and potentially lead to denial of service (DoS) conditions if the kernel runs out of resources managing device nodes. The vulnerability affects Linux kernel versions containing the specified commit hash 87e8657ba99cac87b84c7f8ead91b44d88345504, and the issue has been addressed by adding the missing of_node_put() call to properly release the reference count. There are no known exploits in the wild at this time, and no CVSS score has been assigned. The vulnerability is technical and low-level, impacting kernel memory management related to PCI device power-up sequences on Mediatek hardware platforms.

For European organizations, the impact of CVE-2022-49454 is primarily related to system stability and availability. Organizations using Linux systems with Mediatek PCI devices—common in embedded systems, IoT devices, or specialized industrial equipment—may experience gradual resource depletion leading to kernel instability or crashes. This can disrupt critical infrastructure, manufacturing systems, or telecommunications equipment that rely on stable Linux kernel operation. While the vulnerability does not directly compromise confidentiality or integrity, the potential for denial of service through resource exhaustion could affect business continuity and operational reliability. The impact is more pronounced in environments where uptime is critical and where Mediatek hardware is deployed at scale. Since no known exploits exist, the immediate risk is low, but unpatched systems remain vulnerable to future exploitation attempts or accidental system failures.

To mitigate CVE-2022-49454, European organizations should prioritize updating their Linux kernel to the patched version that includes the fix for the reference count leak. This involves applying the latest stable kernel releases or vendor-provided patches that address the mtk_pcie_subsys_powerup() function. For embedded or specialized devices, coordinate with hardware vendors or device manufacturers to obtain firmware or kernel updates. Additionally, implement monitoring of kernel logs and system resource usage to detect early signs of resource leaks or instability related to PCI device management. Employ rigorous testing of kernel updates in staging environments before deployment to production to avoid unintended disruptions. Where immediate patching is not feasible, consider isolating affected devices or limiting their exposure to critical network segments to reduce potential impact. Regularly review and audit kernel modules and device drivers for similar resource management issues to proactively identify and remediate vulnerabilities.