CVE-2022-50357
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's DWC3 USB controller driver during device probe operations. When certain error conditions occur during USB device initialization, the driver fails to properly clean up power supply resources, leading to kernel memory exhaustion over time. This affects any Linux system using the DWC3 USB controller hardware.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Repeated triggering could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes requiring system reboot.
Likely Case
Gradual memory leak during USB device initialization failures, potentially causing system performance degradation over time.
If Mitigated
With proper patching, no impact as the memory leak is fixed during error handling.
🎯 Exploit Status
Exploitation requires triggering specific error conditions during USB device initialization, typically through faulty USB hardware or specific device interactions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 2a735e4b5580a2a6bbd6572109b4c4f163c57462, 3a213503f483173e7eea76f2e7e3bdd6df7fd6f8, or 79c3afb55942368921237d7b5355d48c52bdde20
Vendor Advisory: https://git.kernel.org/stable/c/2a735e4b5580a2a6bbd6572109b4c4f163c57462
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable DWC3 USB controller
LinuxPrevents use of vulnerable driver but disables USB functionality
echo 'blacklist dwc3' > /etc/modprobe.d/blacklist-dwc3.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Monitor kernel memory usage for unusual increases and restart affected systems if memory exhaustion occurs
- Avoid connecting untrusted or faulty USB devices that could trigger probe failures
🔍 How to Verify
Check if Vulnerable:
Check if system uses DWC3 USB controller: 'lsmod | grep dwc3' and check kernel version against affected versionsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: 'uname -r' and check with distribution vendor for patch inclusion📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- Memory allocation failures in kernel logs
- USB device initialization errors
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("oom-killer" OR "Out of memory" OR "dwc3" AND "error")