CVE-2022-50146 – This CVE describes a memory leak vulnerability ... (How to Fix)

Q: What is the severity of CVE-2022-50146?

CVE-2022-50146 has a CVSS score of 5.5 (MEDIUM). This CVE describes a memory leak vulnerability in the Linux kernel's PCI DesignWare endpoint controller driver. When dw_pcie_ep_init() fails during initialization, it doesn't properly clean up allocated EPC memory and MSI memory regions, causing kernel memory to be permanently lost. This affects systems using PCIe endpoints with the DesignWare controller.

📋 TL;DR

This CVE describes a memory leak vulnerability in the Linux kernel's PCI DesignWare endpoint controller driver. When dw_pcie_ep_init() fails during initialization, it doesn't properly clean up allocated EPC memory and MSI memory regions, causing kernel memory to be permanently lost. This affects systems using PCIe endpoints with the DesignWare controller.

💻 Affected Systems

Products:

Linux kernel with DesignWare PCIe endpoint controller support

Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only affects systems using PCIe endpoints with DesignWare controller; most desktop/workstation systems not affected unless using specific PCIe endpoint hardware.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to kernel memory exhaustion, causing system instability, crashes, or denial of service through resource depletion.

🟠

Likely Case

Memory leak during PCIe endpoint initialization failures, gradually consuming kernel memory until system becomes unstable or requires reboot.

🟢

If Mitigated

Minimal impact with proper monitoring and restart procedures; memory leak only occurs during specific initialization failures.

🌐 Internet-Facing: LOW - Requires local access or ability to trigger PCIe endpoint initialization failures.

🏢 Internal Only: MEDIUM - Could be exploited by malicious local users or through other vulnerabilities to cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to trigger PCIe endpoint initialization failures; exploitation would need to be combined with other vulnerabilities or local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 2d546db5c80c45cac3ccd929550244fd58f4ff58, 3b453f5d06d1f1d6b20a75ea51dc7b53ae78f479, 8161e9626b50892eaedbd8070ecb1586ecedb109, b03a8f1264ea8c363bec9ef6e37b467f27cb04ea, e7599a5974d4c64eaae8009c3f2e47b9e3223e07

Vendor Advisory: https://git.kernel.org/stable/c/2d546db5c80c45cac3ccd929550244fd58f4ff58

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable PCIe endpoint controller

linux

If not needed, disable the DesignWare PCIe endpoint controller module

modprobe -r dw_pcie_ep
echo 'blacklist dw_pcie_ep' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Monitor kernel memory usage and system stability metrics
Implement regular system reboots to clear accumulated memory leaks

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if dw_pcie_ep module is loaded: 'lsmod | grep dw_pcie_ep' and 'uname -r'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits or check with distribution-specific security tools

📡 Detection & Monitoring

Log Indicators:

Kernel oom-killer messages
System instability logs
PCIe initialization failure messages in dmesg

Network Indicators:

None - local vulnerability only

SIEM Query:

search 'kernel: Out of memory' OR 'kernel: oom-killer' OR 'dw_pcie_ep_init failed'

📊 Metadata

CVE ID: CVE-2022-50146

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.02% exploit probability (3.5th percentile)

Published: June 18, 2025

Last Updated: November 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50146, you might also want to check these: