CVE-2022-50779
Description
In the Linux kernel, the following vulnerability has been resolved:
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
When insert and remove the orangefs module, then debug_help_string will be leaked:
unreferenced object 0xffff8881652ba000 (size 4096): comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) hex dump (first 32 bytes): 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow backtrace: [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 [<000000001d0614ae>] do_init_module+0xdf/0x320 [<00000000efef068c>] load_module+0x2f98/0x3330 [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 [<00000000a0da6f99>] do_syscall_64+0x35/0x80 [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
When remove the module, should always free debug_help_string. Should always free the allocated buffer when change the free_debug_help_string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's orangefs module occurs when the debug_help_string buffer is not freed on module removal.
Vulnerability
CVE-2022-50779 describes a memory leak in the Linux kernel's OrangeFS (orangefs) filesystem module. The function orangefs_prepare_debugfs_help_string() allocates a buffer (debug_help_string) using kmalloc_trace but fails to free it when the module is removed. This results in a kernel memory leak that can be observed via kmemleak, as shown in the kernel commit references [1][2][3][4].
Exploitation
An attacker with the ability to load and unload the orangefs kernel module (typically requiring root privileges) can trigger the leak repeatedly. Each module insertion allocates a new 4096-byte buffer is allocated and never freed, gradually consuming kernel memory. No special network access or user interaction is needed beyond module load/unload operations.
Impact
Repeated module insertions and removals will exhaust kernel memory, potentially leading to system instability or denial of service (DoS). The leak is limited to the size of the allocated buffer (4 KB per cycle), but sustained exploitation can degrade system performance or cause out-of-memory conditions.
Mitigation
The fix is included in Linux kernel stable updates. The patch ensures that debug_help_string is freed when the module is removed, preventing the memory leak. Users should apply the latest kernel updates from their distribution or compile a patched kernel from the stable tree containing the commit referenced in [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
944d3eac26a5ef2b8a6aac561ba9d3b9cec202e7c09121064b8affa0c640539529b79b0233fc221d9a16319be31668552d23417a5bf3aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/19be31668552a198e887762e25bdcc560800ecb4nvd
- git.kernel.org/stable/c/2e7c09121064df93c58bbc49d3d0f608d3f584bdnvd
- git.kernel.org/stable/c/39529b79b023713d4f2d3479dc0ca43ba99df726nvd
- git.kernel.org/stable/c/3fc221d9a16339a913a0341d3efc7fef339073e1nvd
- git.kernel.org/stable/c/44d3eac26a5e5268d11cc342dc202b0d31505c0anvd
- git.kernel.org/stable/c/b8affa0c6405ee968dcb6030bee2cf719a464752nvd
- git.kernel.org/stable/c/ba9d3b9cec20957fd86bb1bf525b4ea8b64b2deanvd
- git.kernel.org/stable/c/d23417a5bf3a3afc55de5442eb46e1e60458b0a1nvd
- git.kernel.org/stable/c/f2b8a6aac561a49fe02c99683c40a8b87a9f68fcnvd
News mentions
0No linked articles in our index yet.