CVE-2022-49119 – This CVE describes a memory leak vulnerability ... (How to Fix)

Q: What is the severity of CVE-2022-49119?

CVE-2022-49119 has a CVSS score of 5.5 (MEDIUM). This CVE describes a memory leak vulnerability in the Linux kernel's pm8001 SCSI driver. When firmware flash update requests fail, allocated memory isn't properly freed, potentially leading to kernel memory exhaustion. Systems using pm8001-based SCSI controllers are affected.

📋 TL;DR

This CVE describes a memory leak vulnerability in the Linux kernel's pm8001 SCSI driver. When firmware flash update requests fail, allocated memory isn't properly freed, potentially leading to kernel memory exhaustion. Systems using pm8001-based SCSI controllers are affected.

💻 Affected Systems

Products:

Linux kernel with pm8001 SCSI driver

Versions: Kernel versions before fixes were applied (specific commits listed in references)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with pm8001-based SCSI controllers; vulnerability triggers during firmware flash update failures.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could cause kernel memory exhaustion leading to system instability, crashes, or denial of service.

🟠

Likely Case

Memory leak gradually consumes kernel memory over time, potentially causing performance degradation or system instability.

🟢

If Mitigated

With proper monitoring and memory limits, impact is limited to potential performance issues.

🌐 Internet-Facing: LOW - Requires local access or kernel-level compromise to trigger.

🏢 Internal Only: MEDIUM - Internal attackers with local access could potentially trigger the condition.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger firmware flash update failures; not directly remote exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: a25ed5f21f94f9ae4bcc8dd747e978668890c921, d83574666bac4b1462e90df393fbed6c5f57d1a3, e5ecdb01952f230921aa8163d8d7f4c97c925ed8, f792a3629f4c4aa4c3703d66b43ce1edcc3ec09a, fe5b8ea5583b5c3f6f68e06acba50387edf3b5d5

Vendor Advisory: https://git.kernel.org/stable/c/a25ed5f21f94f9ae4bcc8dd747e978668890c921

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repository. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable pm8001 module

linux

Prevent loading of vulnerable driver if not required

echo 'blacklist pm8001' >> /etc/modprobe.d/blacklist-pm8001.conf
rmmod pm8001

🧯 If You Can't Patch

Monitor kernel memory usage for unusual increases
Restrict local access to systems with pm8001 controllers

🔍 How to Verify

Check if Vulnerable:

Check if pm8001 module is loaded: lsmod | grep pm8001 AND check kernel version against patched releases

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits and pm8001 module loads without issues

📡 Detection & Monitoring

Log Indicators:

Kernel oom-killer messages
Memory allocation failures in dmesg
pm8001 driver error messages

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("pm8001" OR "memory allocation failure" OR "out of memory")

📊 Metadata

CVE ID: CVE-2022-49119

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.05% exploit probability (16.1th percentile)

Published: February 26, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49119, you might also want to check these: