CVE-2022-50477 – This is a memory leak vulnerability in the Linu... (How to Fix)

Q: What is the severity of CVE-2022-50477?

CVE-2022-50477 has a CVSS score of 5.5 (MEDIUM). This is a memory leak vulnerability in the Linux kernel's RTC (Real-Time Clock) subsystem. When dev_set_name() fails during device allocation, the previously allocated rtc_device structure is not properly freed, leading to kernel memory exhaustion over time. This affects Linux systems using RTC devices.

📋 TL;DR

This is a memory leak vulnerability in the Linux kernel's RTC (Real-Time Clock) subsystem. When dev_set_name() fails during device allocation, the previously allocated rtc_device structure is not properly freed, leading to kernel memory exhaustion over time. This affects Linux systems using RTC devices.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated, but the fix was applied to stable kernel trees.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires RTC device allocation to trigger the vulnerable code path. The rx4581 RTC driver is mentioned in the backtrace.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to kernel memory exhaustion, causing system instability, crashes, or denial of service.

🟠

Likely Case

Gradual memory leak that may cause performance degradation or system instability over extended periods.

🟢

If Mitigated

Minimal impact with proper monitoring and memory management controls in place.

🌐 Internet-Facing: LOW - Requires local access or kernel module loading capability.

🏢 Internal Only: MEDIUM - Could be exploited by users with local access or through vulnerable RTC drivers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the specific failure condition in dev_set_name() during RTC device allocation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel commits: 0bcfc8fd3e596994f527b46730579428b3a4fa5f, 59457a0f079eae19aaf322b3cc1c8ba66f55c5f3, 60da73808298ff2cfa9f165d55eb3d7aa7078601

Vendor Advisory: https://git.kernel.org/stable/c/0bcfc8fd3e596994f527b46730579428b3a4fa5f

Restart Required: Yes

Instructions:

1. Update Linux kernel to a version containing the fix. 2. Check with your distribution for security updates. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable vulnerable RTC modules

linux

Prevent loading of RTC drivers that might trigger the vulnerability

echo 'blacklist rtc_rx4581' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Monitor kernel memory usage and system stability
Restrict local user access and kernel module loading capabilities

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if RTC devices are in use. Vulnerable if using unpatched kernel with RTC functionality.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or is newer than the patched versions.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
Memory allocation failures in dmesg
System instability logs

Network Indicators:

None - local vulnerability only

SIEM Query:

Search for kernel panic logs or memory allocation failures in system logs

📊 Metadata

CVE ID: CVE-2022-50477

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.02% exploit probability (5.4th percentile)

Published: October 4, 2025

Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50477, you might also want to check these: