LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49016: net: mdiobus: fix unbalanced node reference count

In the Linux kernel, the following vulnerability has been resolved: net: mdiobus: fix unbalanced node reference count I got the following report while doing device(mscc-miim) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0 If the 'fwnode' is not an acpi node, the refcount is get in fwnode_mdiobus_phy_device_register(), but it has never been put when the device is freed in the normal path. So call fwnode_handle_put() in phy_device_release() to avoid leak. If it's an acpi node, it has never been get, but it's put in the error path, so call fwnode_handle_get() before phy_device_register() to keep get/put operation balanced.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2022-49016 is a Linux kernel resource-management bug in MDIO bus PHY device handling. It can leave device-tree node references unbalanced, causing a memory leak. The public record does not provide CVSS, impact severity, or evidence of active exploitation.

Executive priority

Treat as routine kernel hygiene unless your environment has affected embedded or network devices with slow patch cycles. There is no cited exploitation evidence, but persistent kernel memory leaks can affect reliability over time.

Technical view

The fix balances fwnode get/put handling in phy_device_release() and before phy_device_register(). The reported leak appeared during mscc-miim device load testing with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled. The issue affects Linux kernel code paths around mdiobus PHY registration for non-ACPI and ACPI firmware nodes.

Likely exposure

Most exposure is likely in Linux systems using affected kernel builds with MDIO/Ethernet PHY device registration paths, especially embedded or networking platforms. The source data does not indicate broad remote exposure or user-triggerable attack paths.

Exploitation context

No source in the bundle reports active exploitation, public exploit code, or inclusion in CISA KEV. The described condition is a kernel memory leak found during device load testing, not a demonstrated privilege escalation or remote compromise path.

Researcher notes

The record lacks CVSS, CWE, and detailed affected-version ranges beyond Linux kernel references. Analysis should focus on commit presence and vendor backports rather than version strings alone. Avoid assuming exploitability beyond the documented reference leak.

Mitigation direction

  • Check whether your kernel vendor has shipped the referenced stable fixes.
  • Update affected Linux kernels through supported vendor channels.
  • Prioritize embedded and network appliances using MDIO/Ethernet PHY hardware.
  • If updates are unavailable, request vendor guidance for this specific kernel fix.

Validation and detection

  • Inventory Linux kernel versions and vendor patch levels.
  • Confirm whether referenced stable commits are present in your kernel tree.
  • Identify systems using MDIO bus or Ethernet PHY drivers.
  • Review kernel logs and test results for device-tree reference leak messages.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49016 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxbc1bee3b87ee48bd97ef7fd306445132ba2041b0, bc1bee3b87ee48bd97ef7fd306445132ba2041b0, bc1bee3b87ee48bd97ef7fd306445132ba2041b0unaffected
LinuxLinux5.14, 0, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.