In the Linux kernel, the following vulnerability has been resolved:
gpio: amd8111: Fix PCI device reference count leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
input parameter, there is no problem for the 'Device not found' branch.
For the normal path, add pci_dev_put() in amd_gpio_exit().
Security readout for executives and security teams
Plain-English summary
CVE-2022-48973 is a Linux kernel bug in the amd8111 GPIO driver where a PCI device reference was not released correctly. The public sources describe a resource reference leak, not remote code execution or data theft. Severity and CVSS are not provided, so urgency depends on whether affected kernels and this driver are present in your estate.
Executive priority
Handle through routine kernel patch management unless validation shows affected production systems using this driver. There is no provided evidence of active exploitation or severe business impact, but kernel defects should not be ignored on long-lived infrastructure.
Technical view
The amd8111 GPIO code iterates PCI devices using for_each_pci_dev(), backed by pci_get_device(), which increments the returned pci_dev reference. When the loop exits with pdev still set, the code failed to call pci_dev_put(). The fix adds pci_dev_put() after the out label and during amd_gpio_exit().
Likely exposure
Exposure appears limited to Linux kernels listed as affected in the CVE source bundle, especially where the amd8111 GPIO driver is built or loaded. The sources do not identify distributions, default configurations, cloud images, containers, or hardware-specific exposure, so asset validation is required.
Exploitation context
The source bundle does not report active exploitation, KEV listing, exploit availability, or attacker prerequisites. Based only on the cited text, this is a kernel resource-management flaw involving a PCI reference count leak. Practical impact is not fully evidenced in the provided sources.
Researcher notes
The key evidence is the missing pci_dev_put() after breaking a for_each_pci_dev() loop and in amd_gpio_exit(). The public record lacks CVSS, CWE, threat model, exploitability analysis, and distribution-specific fixed versions. Treat impact assessment as incomplete until vendor advisories are reviewed.
Mitigation direction
Apply Linux kernel vendor updates that include the referenced stable fixes.
Prioritize systems running affected kernel versions with the amd8111 GPIO driver present.
Check distribution advisories for backported fixes and package-specific version mapping.
Use normal kernel change controls and reboot requirements for deployed updates.
Validation and detection
Inventory Linux kernel versions against the affected versions in the CVE bundle.
Check whether the amd8111 GPIO driver is built, available, or loaded.
Confirm installed kernels contain one of the referenced upstream stable fixes or vendor backport.
Review kernel and distribution advisories for local severity and applicability notes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48973 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.