CVE-2022-49713 is a vulnerability identified in the Linux kernel's USB driver subsystem, specifically within the dwc2 (DesignWare Core USB 2.0) host controller driver. The issue is a memory leak caused by improper error handling during the initialization of the USB host controller driver (HCD). When the function usb_create_hcd allocates memory for the host controller driver structure (hcd), it is expected that if subsequent resource acquisition via platform_get_resource() fails, the allocated memory should be freed by calling usb_put_hcd to prevent a memory leak. However, due to a coding error, the error handling path incorrectly jumps to an error1 label that does not free the allocated memory, instead of the correct error2 label which includes the cleanup call. This results in a memory leak during the initialization phase of the USB host controller driver. Although this vulnerability does not directly lead to code execution or privilege escalation, persistent memory leaks can degrade system stability and availability over time, especially on systems with frequent USB device initialization or reinitialization. The affected versions include multiple Linux kernel commits prior to the fix, indicating that this vulnerability is present in various kernel versions used in embedded systems, servers, and desktops. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The fix involves correcting the error handling path to ensure proper memory deallocation on failure.

For European organizations, the impact of CVE-2022-49713 is primarily related to system reliability and availability rather than direct compromise of confidentiality or integrity. Systems running vulnerable Linux kernels with the dwc2 USB driver could experience gradual memory exhaustion due to the leak, potentially leading to degraded performance or crashes in environments with frequent USB device activity. This could affect critical infrastructure, industrial control systems, and enterprise servers that rely on Linux for USB connectivity. While the vulnerability does not appear to enable remote code execution or privilege escalation, denial of service through resource exhaustion remains a concern. Organizations with high USB device turnover or embedded Linux devices in operational technology (OT) environments may be more susceptible. The absence of known exploits reduces immediate risk, but unpatched systems could face stability issues over time, impacting business continuity and operational efficiency.

To mitigate CVE-2022-49713, European organizations should prioritize updating their Linux kernels to versions where the fix has been applied. This involves applying vendor-supplied patches or upgrading to the latest stable kernel releases that include the corrected error handling in the dwc2 driver. For embedded and specialized Linux distributions, coordination with vendors or maintainers is essential to obtain patched versions. Additionally, organizations should implement monitoring of system memory usage and USB subsystem logs to detect abnormal memory consumption patterns that could indicate the presence of the leak. In environments with critical uptime requirements, consider limiting unnecessary USB device connections or reinitializations until patches are applied. For systems where kernel upgrades are not immediately feasible, applying kernel live patching solutions (if supported) may provide temporary relief. Finally, maintain an inventory of Linux systems using the dwc2 driver to ensure comprehensive patch management coverage.