CVE-2022-49923 is a vulnerability identified in the Linux kernel's NFC (Near Field Communication) driver, specifically within the nxp-nci module. The issue arises in the function nxp_nci_send(), which is responsible for sending data via the NXP NFC controller interface. The vulnerability is a potential memory leak caused by improper handling of socket buffers (skb). In the current implementation, nxp_nci_send() calls nxp_nci_i2c_write() to perform the actual data transmission over I2C. If nxp_nci_i2c_write() fails, nxp_nci_send() correctly frees the skb to prevent memory leaks. However, if nxp_nci_i2c_write() succeeds, the skb is not freed either within nxp_nci_i2c_write() or subsequently in nxp_nci_send(), resulting in a memory leak. Over time, repeated successful calls can cause the kernel to consume increasing amounts of memory, potentially leading to resource exhaustion. This vulnerability is rooted in resource management and does not directly allow code execution or privilege escalation, but it can degrade system stability and availability. The affected versions are specific Linux kernel commits identified by the hash dece45855a8b0d1dcf48eb01d0822070ded6a4c8. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned. The fix involves ensuring skb is freed regardless of the success or failure of nxp_nci_i2c_write(), preventing the memory leak.

For European organizations, the impact of CVE-2022-49923 primarily concerns system stability and availability. Systems running Linux kernels with the vulnerable nxp-nci NFC driver may experience gradual memory exhaustion if the NFC functionality is heavily used, potentially leading to degraded performance or system crashes. This can affect embedded devices, IoT systems, or industrial control systems that rely on NFC communication and run affected Linux versions. While the vulnerability does not directly compromise confidentiality or integrity, denial of service through resource exhaustion can disrupt critical operations, especially in sectors like manufacturing, transportation, or healthcare where NFC-enabled devices are used. Given the widespread use of Linux in European enterprises and public sector infrastructure, unpatched systems could face operational risks. However, the lack of known exploits and the requirement for specific NFC usage scenarios limit the immediate threat level. Organizations using Linux-based NFC-enabled devices should be aware of this vulnerability to avoid potential service disruptions.

Mitigation requires updating the Linux kernel to a version where the nxp-nci driver has been patched to properly free skb buffers after successful nxp_nci_i2c_write() calls. Organizations should: 1) Identify all systems using the nxp-nci NFC driver, particularly those running the affected kernel versions. 2) Apply vendor-supplied kernel updates or patches that address CVE-2022-49923 promptly. 3) For embedded or IoT devices where kernel updates are challenging, consider disabling NFC functionality if not required to reduce exposure. 4) Monitor system memory usage on devices with NFC capabilities to detect abnormal memory consumption patterns that may indicate exploitation attempts. 5) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. Since no known exploits exist, proactive patching is the best defense to prevent potential denial of service conditions.