CVE-2022-49530 is a vulnerability identified in the Linux kernel specifically within the AMD GPU driver component, drm/amd/pm. The flaw exists in the function si_parse_power_table(), which is responsible for allocating and initializing an array (adev->pm.dpm.ps) and its members related to power management settings. The vulnerability arises due to improper memory management: if allocation of any array member fails, the function frees the entire array and returns an error. However, the array is subsequently freed again in the si_dpm_fini() function, which is called upon error return, leading to a double free condition. Additionally, the members of the array are not freed when the array is freed, causing potential memory leaks. The variable adev->pm.dpm.num_ps, which tracks the number of successfully allocated members, is only updated after successful allocation, which can result in use-after-free or uninitialized variable access in si_dpm_fini(). The root cause is a mismatch in the timing and logic of memory deallocation and tracking of allocated members. The fix involves deferring the array free operation until si_dpm_fini() and incrementing the member count immediately upon each successful allocation, ensuring proper cleanup and preventing double free or use-after-free scenarios. This vulnerability affects Linux kernel versions containing the specified commit hashes and pertains to AMD GPU power management code. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2022-49530 depends largely on their use of Linux systems with AMD GPUs, particularly those running kernel versions containing the vulnerable code. The vulnerability could lead to system instability or crashes due to double free or use-after-free memory errors within the kernel driver, potentially causing denial of service (DoS). In environments where Linux servers or workstations with AMD GPUs are used for critical workloads, such as scientific computing, media processing, or virtualization, unexpected crashes could disrupt operations. Although no direct remote code execution or privilege escalation is indicated, memory corruption vulnerabilities in kernel space can sometimes be leveraged by attackers to escalate privileges or execute arbitrary code, especially if combined with other vulnerabilities. Therefore, the vulnerability poses a moderate risk to confidentiality, integrity, and availability. European organizations relying on AMD GPU-enabled Linux systems should consider this vulnerability seriously, particularly in sectors like research institutions, media companies, and cloud providers where AMD hardware is prevalent. The absence of known exploits reduces immediate risk but does not eliminate the need for timely remediation.

To mitigate CVE-2022-49530, European organizations should: 1) Identify Linux systems running AMD GPUs and verify kernel versions against the affected commits. 2) Apply the official Linux kernel patches that address this vulnerability as soon as they become available, or upgrade to a kernel version that includes the fix. 3) If immediate patching is not possible, consider temporarily disabling AMD GPU power management features or using alternative drivers if feasible to reduce exposure. 4) Monitor system logs for kernel errors or crashes related to the AMD GPU driver that could indicate exploitation attempts or instability. 5) Implement strict access controls and limit user privileges on affected systems to reduce the risk of exploitation. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents. 7) Engage with hardware and software vendors to ensure timely updates and support for AMD GPU drivers in Linux environments. These steps go beyond generic advice by focusing on hardware-specific identification, proactive monitoring, and operational controls tailored to the nature of this vulnerability.