CVE-2022-50813

CVE-2022-50813 is a resource leak vulnerability in the Linux kernel's MCB (Managed Controller Bus) driver. The flaw resides in the mcb_probe() function, which fails to call put_device() when a probe hook callback returns failure. This oversight prevents the device reference count from being decremented, leading to a persistent reference that prevents the device's resources from being freed [1][2][3][4].

The vulnerability is triggered during the device probe process. When the kernel attempts to bind a driver to an MCB device and the driver's probe hook fails, the normal cleanup path is not taken. The missing put_device() call means the device structure retains a reference, preventing proper deallocation. No special privileges or network access are required; local access to the system is sufficient to trigger the condition during normal device enumeration.

An attacker who can repeatedly cause probe failures (for example, by attaching devices that trigger driver probe errors) can exploit this bug to exhaust kernel memory, leading to a denial-of-service (DoS) condition. Repeated exploitation may eventually cause system instability or crashes due to resource starvation.

Patches have been committed to the Linux kernel stable tree, backported to various versions. Users should apply the corresponding stable kernel updates to mitigate the leak [1][2][3][4].