What is the severity of CVE-2022-49219?

CVE-2022-49219 is categorized as a low severity vulnerability in the Linux kernel due to a memory leak during the D3hot to D0 transition.

How do I fix CVE-2022-49219?

To fix CVE-2022-49219, upgrade to a patched version of the Linux kernel where this vulnerability has been addressed.

What versions of the Linux kernel are affected by CVE-2022-49219?

CVE-2022-49219 affects Linux kernels from version 5.1 to 5.17.2, as well as 5.15.33 to 5.16.19.

What component in the Linux kernel is affected by CVE-2022-49219?

CVE-2022-49219 specifically affects the vfio/pci component of the Linux kernel.

What does CVE-2022-49219 impact?

CVE-2022-49219 impacts system stability by causing a memory leak when transitioning PCI devices from low power to active states.

Vulnerability/
CVE-2022-49219

medium

5.5

CWE

401

26/2/2025

2/5/2025

CVE-2022-49219: vfio/pci: fix memory leak during D3hot to D0 transition

First published: Wed Feb 26 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix memory leak during D3hot to D0 transition If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory. But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation. This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Software	Affected Version	How to fix
Linux Kernel
Linux Kernel	>=5.1<5.15.33
Linux Kernel	>=5.16<5.16.19
Linux Kernel	>=5.17<5.17.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-49219?
CVE-2022-49219 is categorized as a low severity vulnerability in the Linux kernel due to a memory leak during the D3hot to D0 transition.
How do I fix CVE-2022-49219?
To fix CVE-2022-49219, upgrade to a patched version of the Linux kernel where this vulnerability has been addressed.
What versions of the Linux kernel are affected by CVE-2022-49219?
CVE-2022-49219 affects Linux kernels from version 5.1 to 5.17.2, as well as 5.15.33 to 5.16.19.
What component in the Linux kernel is affected by CVE-2022-49219?
CVE-2022-49219 specifically affects the vfio/pci component of the Linux kernel.
What does CVE-2022-49219 impact?
CVE-2022-49219 impacts system stability by causing a memory leak when transitioning PCI devices from low power to active states.

agent/first-publish-date
agent/type
agent/title
agent/references
agent/author
agent/source
agent/description
agent/guess-ai
agent/software-canonical-lookup
collector/nvd-api
source/NVD
agent/severity
agent/remedy
agent/weakness
agent/last-modified-date
agent/softwarecombine
agent/event
agent/tags
collector/mitre-cve
source/MITRE
vendor/linux
canonical/linux kernel
version/linux kernel/5.1
version/linux kernel/5.16
version/linux kernel/5.17

Frequently Asked Questions

What is the severity of CVE-2022-49219?
CVE-2022-49219 is categorized as a low severity vulnerability in the Linux kernel due to a memory leak during the D3hot to D0 transition.
How do I fix CVE-2022-49219?
To fix CVE-2022-49219, upgrade to a patched version of the Linux kernel where this vulnerability has been addressed.
What versions of the Linux kernel are affected by CVE-2022-49219?
CVE-2022-49219 affects Linux kernels from version 5.1 to 5.17.2, as well as 5.15.33 to 5.16.19.
What component in the Linux kernel is affected by CVE-2022-49219?
CVE-2022-49219 specifically affects the vfio/pci component of the Linux kernel.
What does CVE-2022-49219 impact?
CVE-2022-49219 impacts system stability by causing a memory leak when transitioning PCI devices from low power to active states.

CVE-2022-49219: vfio/pci: fix memory leak during D3hot to D0 transition

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-49219?

How do I fix CVE-2022-49219?

What versions of the Linux kernel are affected by CVE-2022-49219?

What component in the Linux kernel is affected by CVE-2022-49219?

What does CVE-2022-49219 impact?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2022-49219?

How do I fix CVE-2022-49219?

What versions of the Linux kernel are affected by CVE-2022-49219?

What component in the Linux kernel is affected by CVE-2022-49219?

What does CVE-2022-49219 impact?