In the Linux kernel, the following vulnerability has been resolved:
net: mdiobus: fix unbalanced node reference count
I got the following report while doing device(mscc-miim) load test
with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0
If the 'fwnode' is not an acpi node, the refcount is get in
fwnode_mdiobus_phy_device_register(), but it has never been
put when the device is freed in the normal path. So call
fwnode_handle_put() in phy_device_release() to avoid leak.
If it's an acpi node, it has never been get, but it's put
in the error path, so call fwnode_handle_get() before
phy_device_register() to keep get/put operation balanced.
Security readout for executives and security teams
Plain-English summary
CVE-2022-49016 is a Linux kernel resource-management bug in MDIO bus PHY device handling. It can leave device-tree node references unbalanced, causing a memory leak. The public record does not provide CVSS, impact severity, or evidence of active exploitation.
Executive priority
Treat as routine kernel hygiene unless your environment has affected embedded or network devices with slow patch cycles. There is no cited exploitation evidence, but persistent kernel memory leaks can affect reliability over time.
Technical view
The fix balances fwnode get/put handling in phy_device_release() and before phy_device_register(). The reported leak appeared during mscc-miim device load testing with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled. The issue affects Linux kernel code paths around mdiobus PHY registration for non-ACPI and ACPI firmware nodes.
Likely exposure
Most exposure is likely in Linux systems using affected kernel builds with MDIO/Ethernet PHY device registration paths, especially embedded or networking platforms. The source data does not indicate broad remote exposure or user-triggerable attack paths.
Exploitation context
No source in the bundle reports active exploitation, public exploit code, or inclusion in CISA KEV. The described condition is a kernel memory leak found during device load testing, not a demonstrated privilege escalation or remote compromise path.
Researcher notes
The record lacks CVSS, CWE, and detailed affected-version ranges beyond Linux kernel references. Analysis should focus on commit presence and vendor backports rather than version strings alone. Avoid assuming exploitability beyond the documented reference leak.
Mitigation direction
Check whether your kernel vendor has shipped the referenced stable fixes.
Update affected Linux kernels through supported vendor channels.
Prioritize embedded and network appliances using MDIO/Ethernet PHY hardware.
If updates are unavailable, request vendor guidance for this specific kernel fix.
Validation and detection
Inventory Linux kernel versions and vendor patch levels.
Confirm whether referenced stable commits are present in your kernel tree.
Identify systems using MDIO bus or Ethernet PHY drivers.
Review kernel logs and test results for device-tree reference leak messages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49016 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.