VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50751

CVE-2022-50751

Description

In the Linux kernel, the following vulnerability has been resolved:

configfs: fix possible memory leak in configfs_create_dir()

kmemleak reported memory leaks in configfs_create_dir():

unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ...

unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ...

This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as:

configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release

However, if we failed in configfs_create():

configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode);

There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked.

To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-50751 is a memory leak vulnerability in the Linux kernel's configfs_create_dir() where a refcounting error prevents freeing allocated memory during certain error paths.

Vulnerability

Description

The vulnerability is a memory leak in the Linux kernel's configfs filesystem configuration interface, configfs. When creating a directory via the configfs_create_dir() function, a reference counting error occurs in configfs_make_dirent(). Under normal operation, the s_count field of a configfs directory entry is incremented correctly to track references, allowing proper cleanup during unregistration. However, when configfs_create() fails after configfs_make_dirent() has already set s_count to 2, the error path does not properly decrement the reference count, leading to leaked memory objects such as new_fragment and configfs_new_dirent.

Exploitation and

Attack Surface

An attacker with the ability to trigger an error during directory creation in configfs can cause this memory leak. The issue is reachable through the configfs_register_subsystem() call, which can be invoked from various kernel modules, such as the stm_p_basic driver for hardware tracing. No special privileges beyond the ability to load a kernel module (or trigger configfs operations) are required. The attack surface is limited to systems where configfs is enabled and where such error injection is possible.

Impact

Successfully exploiting this vulnerability results in a persistent memory leak, depleting kernel memory over time. This can lead to system instability, denial of service (DoS), or resource exhaustion. The leak does not provide code execution or privilege escalation directly.

Mitigation

The issue has been patched in the Linux kernel stable release. The fix corrects the reference counting logic in configfs_make_dirent() to ensure that on failure paths, the allocated memory is properly freed. Users should update their kernel to a version containing the commit [1] or [2] to address this vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
90c38f57a821
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
74ac7c9ee2d4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
07f82dca1122
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8bc77754224a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c72eb6e6e49a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c65234b283a6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.