CVE-2022-49002: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the error path to avoid reference count leak.
Security readout for executives and security teams
Plain-English summary
CVE-2022-49002 is a Linux kernel issue in Intel VT-d IOMMU handling where an error path can leak a PCI device reference. The public record does not provide CVSS, confirmed impact severity, or active exploitation evidence. Treat it as a kernel maintenance risk until vendor guidance clarifies practical impact.
Executive priority
Handle through normal kernel patch governance unless your environment has unpatched affected kernels in critical infrastructure. There is no cited evidence of active exploitation, but kernel resource-management flaws should not be ignored indefinitely.
Technical view
The fix adds a missing pci_dev_put() when dmar_dev_scope_init() exits a for_each_pci_dev() loop early with a non-null pci_dev. Because for_each_pci_dev() uses pci_get_device(), the missing release can leak a pci_dev reference on the error path.
Likely exposure
Exposure is limited to Linux kernel versions identified as affected in the CVE record, especially systems using kernel lines around 3.15 through 6.1-era stable releases. Exact downstream distribution exposure depends on whether the referenced stable fixes are backported.
Exploitation context
The source bundle does not report active exploitation, KEV listing, exploit availability, or a practical attack scenario. Evidence supports a kernel reference-count leak bug, but not a demonstrated remote, local, privilege, or denial-of-service exploit path.
Researcher notes
The public record is narrow: it describes a missing pci_dev_put() in the dmar_dev_scope_init() error path and lists stable kernel commit references. No CWE, CVSS, exploitability notes, or impact statement are provided, so severity confidence is limited.
Mitigation direction
Update affected Linux kernels through the distribution or vendor-supported channel.
Confirm whether referenced kernel stable commits are included in deployed builds.
Check vendor advisories for backports, fixed package versions, and operational mitigations.
Prioritize kernel updates on systems with strict uptime or virtualization dependency.
Avoid assuming a workaround exists unless vendor guidance names one.
Validation and detection
Inventory deployed Linux kernel versions across servers, appliances, and images.
Compare versions against the CVE record and distribution advisories.
Review kernel package changelogs for the referenced stable commit identifiers.
Verify updated systems boot successfully and retain required IOMMU behavior.
Track exceptions where vendor kernels are unsupported or unpatched.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49002 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.