CVE-2022-49621 is a vulnerability identified in the Linux kernel specifically related to the cpufreq subsystem for the pmac32 architecture (Power Macintosh 32-bit). The issue arises from a reference count leak in the function pmac_cpufreq_init_MacRISC3(). Within this function, three node pointers obtained via of_find_node_by_name() have their reference counts incremented but are not properly decremented by corresponding of_node_put() calls. This leads to a resource management bug where the reference counts are not balanced, causing a leak. Reference count leaks in kernel code can result in resource exhaustion over time, potentially degrading system stability or causing denial of service (DoS) conditions. The vulnerability does not appear to allow direct code execution or privilege escalation but can impact system reliability. The affected versions are identified by a specific commit hash repeated multiple times, indicating a particular kernel source state before the fix. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The fix involves adding the missing of_node_put() calls to properly release the node references and prevent the leak. This vulnerability is architecture-specific, affecting the pmac32 cpufreq driver, which is relevant to older Power Macintosh hardware running Linux kernels with this driver enabled.

For European organizations, the impact of CVE-2022-49621 is likely limited due to the niche nature of the affected architecture (pmac32) and driver. Most modern Linux deployments in Europe run on x86_64, ARM, or other architectures rather than Power Macintosh 32-bit hardware. However, organizations that maintain legacy systems or specialized embedded devices using pmac32 Linux kernels could experience system instability or denial of service due to resource leaks if this vulnerability is exploited or triggered. This could affect availability of critical systems if the leak leads to kernel memory exhaustion or crashes. Since no privilege escalation or remote code execution is involved, confidentiality and integrity impacts are minimal. The lack of known exploits and the specialized hardware context reduce the immediate risk. Nonetheless, organizations with legacy Linux systems should prioritize patching to maintain system reliability and prevent potential DoS conditions.

To mitigate CVE-2022-49621, organizations should: 1) Identify any Linux systems running on pmac32 architecture or using the pmac32 cpufreq driver. 2) Apply the official Linux kernel patches that add the missing of_node_put() calls in pmac_cpufreq_init_MacRISC3() as soon as they become available in stable kernel releases. 3) For legacy systems where kernel upgrades are challenging, consider recompiling the kernel with the patch applied manually. 4) Monitor system logs and kernel metrics for signs of resource leaks or instability related to cpufreq operations. 5) Implement routine kernel updates and maintain an inventory of hardware architectures in use to ensure timely vulnerability management. 6) If legacy pmac32 hardware is no longer critical, plan for migration to supported architectures to reduce exposure to such niche vulnerabilities.