LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48888: drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path of_icc_get() alloc resources for path1, we should release it when not need anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1. Defer getting path1 to fix this. Patchwork: https://patchwork.freedesktop.org/patch/514264/

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-48888 is a Linux kernel memory leak in the MSM display subsystem code. It may waste kernel resources when the affected path is reached. The public sources do not show active exploitation, CVSS scoring, or a broad business-impact statement.

Executive priority

Handle through normal kernel patch management, with priority for MSM-based devices or products where display-driver stability matters. No source provided supports emergency treatment or active exploitation.

Technical view

The fix changes drm/msm/dpu msm_mdss_parse_data_bus_icc_path so an interconnect path allocated by of_icc_get is not leaked when an early return occurs for path0. The issue is kernel-resource lifetime handling, not a documented code-execution flaw in the provided sources.

Likely exposure

Exposure appears limited to Linux kernels using the affected drm/msm/dpu code path, commonly tied to MSM display support. Confirm with kernel version, configuration, device tree, and vendor kernel backports.

Exploitation context

The source bundle marks KEV as false and provides no evidence of public exploitation. Impact details are incomplete; treat it as a resource-leak maintenance issue unless vendor guidance says otherwise.

Researcher notes

Evidence supports a memory leak caused by resource acquisition before an error-path return. The bundle does not provide CVSS, CWE, exploitability analysis, or detailed affected-version ranges beyond Linux kernel metadata and stable commit references.

Mitigation direction

  • Check Linux vendor advisories for CVE-2022-48888 coverage.
  • Update to a kernel containing the referenced stable fixes.
  • Confirm downstream vendor kernels backported the fix.
  • Prioritize exposed MSM display platforms over unrelated Linux systems.
  • Monitor kernel memory pressure on affected device classes.

Validation and detection

  • Inventory Linux kernel versions on relevant systems.
  • Check kernel changelogs for the referenced stable commits.
  • Verify whether drm/msm/dpu support is enabled or present.
  • Confirm vendor packages map to fixed upstream commits.
  • Document systems deferred due to unavailable vendor guidance.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48888 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxb9364eed9232f3d2a846f68c2307eb25c93cc2d0, b9364eed9232f3d2a846f68c2307eb25c93cc2d0unaffected
LinuxLinux5.19, 0, 6.1.7, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.