CVE-2022-48881: platform/x86/amd: Fix refcount leak in amd_pmc_probe
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd: Fix refcount leak in amd_pmc_probe
pci_get_domain_bus_and_slot() takes reference, the caller should release
the reference by calling pci_dev_put() after use. Call pci_dev_put() in
the error path to fix this.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is a resource-management bug in AMD platform power-management probing. A reference acquired for a PCI device was not released on an error path. The public record does not state a direct security impact, CVSS score, or active exploitation.
Executive priority
Handle as routine kernel hygiene unless your Linux fleet includes affected AMD systems or a vendor advisory assigns higher severity. There is no supplied evidence of active exploitation or business-disruptive impact.
Technical view
In platform/x86/amd, amd_pmc_probe calls pci_get_domain_bus_and_slot(), which increments a PCI device reference. On an error path, the code failed to call pci_dev_put(), causing a reference leak. Kernel stable commits add the missing release.
Likely exposure
Exposure appears limited to Linux systems running affected kernel builds with the AMD PMC platform driver path present. The supplied data lists Linux kernel versions including 5.18, 6.1.7, and 6.2, but exact distribution package exposure should be verified with vendor advisories.
Exploitation context
The source bundle shows no KEV listing and provides no evidence of active exploitation. The public description frames this as a refcount leak fix, not a documented remote or privilege-escalation exploit path.
Researcher notes
The key behavior is a missing pci_dev_put() after pci_get_domain_bus_and_slot() on the amd_pmc_probe error path. Public evidence is narrow: it establishes the code defect and fix, but not exploitability, impact scope, or attacker prerequisites.
Mitigation direction
Update to kernel or distribution packages containing the referenced stable fixes.
Check Linux distribution advisories for package-specific affected and fixed versions.
Prioritize normal kernel maintenance unless vendor guidance raises severity.
Track this CVE in vulnerability management until patched or marked not applicable.
Validation and detection
Inventory Linux kernel versions across AMD-based systems.
Confirm whether affected systems include the AMD PMC platform driver path.
Map installed kernel packages against distribution advisories for CVE-2022-48881.
Verify remediated systems include the referenced stable kernel fix commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48881 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.