CVE-2022-50626
Description
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Syzbot reports a memory leak in "dvb_usb_adapter_init()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "num_adapters_initalized", which is used as a reference counter to free all adap->priv in "dvb_usb_adapter_exit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvb_usb_adapter_stream_init()", "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" within "dvb_usb_adapter_init()".
This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed.
Fix this by freeing the current iteration's adap->priv in the "stream_init_err:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable.
Syzbot report:
BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [] call_driver_probe drivers/base/dd.c:542 [inline] [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [] really_probe drivers/base/dd.c:583 [inline] [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [] __device_attach+0x122/0x260 drivers/base/dd.c:970 [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [] call_driver_probe drivers/base/dd.c:542 [inline] [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [] really_probe drivers/base/dd.c:583 [inline] [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's DVB USB driver allows local denial of service via unaccounted adapter private data on initialization failure.
Vulnerability
Overview
A memory leak vulnerability (CVE-2022-50626) exists in the Linux kernel's DVB USB driver (dvb-usb). During device initialization, the function dvb_usb_adapter_init() allocates memory for adapter->priv at the start of each iteration but fails to free that allocation if an error occurs in subsequent sub-initialization routines (e.g., dvb_usb_adapter_stream_init(), dvb_usb_adapter_dvb_init(), dvb_usb_adapter_frontend_init()). The error path uses the counter num_adapters_initalized to track how many adapters were fully set up and to free their private data in dvb_usb_adapter_exit(). However, because the counter is not incremented until after successful initialization, a failure in any of those sub-functions causes the current adap->priv object to be orphaned and never freed [1].
Exploitation and
Attack Surface
Exploitation requires physical or logical access to a USB port where a malicious or malfunctioning DVB USB device can be plugged in. The attack surface is local; no authentication is required beyond the ability to attach USB devices. An unprivileged user could trigger the bug by hot-plugging a crafted USB DVB adapter that causes an error during the kernel's initialization sequence. Syzbot's reproducer demonstrates the leak occurring during the dvb_usb_device_init() call path [1].
Impact
A local attacker (or simple hardware fault) can cause a memory leak of up to 512 bytes per attempt. Repeated plugging/unplugging of the offending device will exhaust kernel memory, leading to system instability or denial of service. The vulnerability does not provide any code execution or privilege escalation beyond resource exhaustion.
Mitigation
Status
The fix was committed to the Linux kernel stable trees (e.g., commit 94d90fb06b94). Users should update their kernel to a version that includes the patch, which correctly frees adap->priv in the stream_init_err: label [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
9733bc9e226dae5a49140035521b6b0c9f37917217737c1747d7ab25ead96d0af6220bb1ee5d01eb6dc2f93bbf2ed428194d90fb06b94Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239nvd
- git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40nvd
- git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bdnvd
- git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8nvd
- git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8nvd
- git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377dnvd
- git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4nvd
- git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15nvd
- git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269fnvd
News mentions
0No linked articles in our index yet.