CVE-2022-50825

Vulnerability

Analysis

This vulnerability is a reference count leak in the Linux kernel's USB Type-C driver for the WUSB3801 chip. The driver's wusb3801_probe() function calls fwnode_handle_put() only in the success path; if wusb3801_hw_init() fails, the function returns early without decrementing the reference count obtained earlier by fwnode_handle_get() (implicitly via device tree node access). According to the kernel commit, a fault injection test triggered a memory leak report from the OF (Open Firmware) core: "OF: ERROR: memory leak, expected refcount 1 instead of 4" [1].

Exploitation

The bug is triggered during driver probing when the hardware initialization routine (wusb3801_hw_init()) returns an error. No special attacker action is required; the condition arises naturally on systems with a faulty or misconfigured WUSB3801 device. The driver is part of the kernel's Type-C subsystem and is loaded when the corresponding device is connected or enumerated during boot.

Impact

The leak causes a kernel memory leak of device tree node structures. Over repeated probe attempts (e.g., hotplug events or system reboots), the memory leak can deplete system memory, leading to denial of service (DoS). There is no evidence of code execution or privilege escalation; the impact is limited to resource exhaustion.

Mitigation

The fix was applied in the Linux kernel stable repository in commit de1e2eb7f102 [1]. Users should update their kernel to include this patch. No workaround is available other than avoiding hardware triggering the error path. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.