LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49002: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the error path to avoid reference count leak.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-49002 is a Linux kernel issue in Intel VT-d IOMMU handling where an error path can leak a PCI device reference. The public record does not provide CVSS, confirmed impact severity, or active exploitation evidence. Treat it as a kernel maintenance risk until vendor guidance clarifies practical impact.

Executive priority

Handle through normal kernel patch governance unless your environment has unpatched affected kernels in critical infrastructure. There is no cited evidence of active exploitation, but kernel resource-management flaws should not be ignored indefinitely.

Technical view

The fix adds a missing pci_dev_put() when dmar_dev_scope_init() exits a for_each_pci_dev() loop early with a non-null pci_dev. Because for_each_pci_dev() uses pci_get_device(), the missing release can leak a pci_dev reference on the error path.

Likely exposure

Exposure is limited to Linux kernel versions identified as affected in the CVE record, especially systems using kernel lines around 3.15 through 6.1-era stable releases. Exact downstream distribution exposure depends on whether the referenced stable fixes are backported.

Exploitation context

The source bundle does not report active exploitation, KEV listing, exploit availability, or a practical attack scenario. Evidence supports a kernel reference-count leak bug, but not a demonstrated remote, local, privilege, or denial-of-service exploit path.

Researcher notes

The public record is narrow: it describes a missing pci_dev_put() in the dmar_dev_scope_init() error path and lists stable kernel commit references. No CWE, CVSS, exploitability notes, or impact statement are provided, so severity confidence is limited.

Mitigation direction

  • Update affected Linux kernels through the distribution or vendor-supported channel.
  • Confirm whether referenced kernel stable commits are included in deployed builds.
  • Check vendor advisories for backports, fixed package versions, and operational mitigations.
  • Prioritize kernel updates on systems with strict uptime or virtualization dependency.
  • Avoid assuming a workaround exists unless vendor guidance names one.

Validation and detection

  • Inventory deployed Linux kernel versions across servers, appliances, and images.
  • Compare versions against the CVE record and distribution advisories.
  • Review kernel package changelogs for the referenced stable commit identifiers.
  • Verify updated systems boot successfully and retain required IOMMU behavior.
  • Track exceptions where vendor kernels are unsupported or unpatched.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49002 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3e, 2e45528930388658603ea24d49cf52867b928d3eunaffected
LinuxLinux3.15, 0, 4.9.335, 4.14.301, 4.19.268, 5.4.226, 5.10.158, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.