CVE-2022-48776: mtd: parsers: qcom: Fix missing free for pparts in cleanup
In the Linux kernel, the following vulnerability has been resolved:
mtd: parsers: qcom: Fix missing free for pparts in cleanup
Mtdpart doesn't free pparts when a cleanup function is declared.
Add missing free for pparts in cleanup function for smem to fix the
leak.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel memory-leak flaw in Qualcomm-related MTD partition parsing. It is not described as remote code execution or privilege escalation. The business risk is mainly stability and resource exhaustion on systems that use the affected kernel code path.
Executive priority
Handle through normal patch management, with higher priority for embedded Linux or Qualcomm-based systems where kernel stability matters. There is no source-backed evidence of active exploitation in the provided bundle.
Technical view
The Linux kernel qcom SMEM MTD parser did not free `pparts` when cleanup handling was declared. The kernel fix adds the missing free operation in the cleanup function. The provided record lists affected Linux versions including 5.14, 5.15.25, 5.16.11, and 5.17, with stable kernel commits referenced.
Likely exposure
Exposure depends on running an affected Linux kernel and using the qcom SMEM MTD partition parser code path. The sources do not identify specific distributions, devices, or configurations beyond Linux kernel version metadata.
Exploitation context
The bundle does not show CISA KEV listing, active exploitation, public exploit use, or a CVSS score. Treat this as a kernel maintenance and stability issue unless vendor guidance indicates broader impact.
Researcher notes
The public record is narrow: it describes a missing free of `pparts` in cleanup, not attacker prerequisites or impact scoring. Avoid overstating exploitability without vendor or kernel maintainer context.
Mitigation direction
Check your kernel vendor advisory for CVE-2022-48776 applicability.
Update to a kernel build containing the referenced stable fixes.
Prioritize embedded or Qualcomm-platform assets using MTD partition parsing.
Track distribution backports rather than relying only on upstream version numbers.
Validation and detection
Inventory Linux kernel versions on potentially affected assets.
Confirm whether the qcom SMEM MTD parser is built or used.
Map installed kernels against vendor fixed-package advisories.
Review change logs for the referenced upstream stable commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48776 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.