LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49024: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods

In the Linux kernel, the following vulnerability has been resolved: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods In m_can_pci_remove() and error handling path of m_can_pci_probe(), m_can_class_free_dev() should be called to free resource allocated by m_can_class_allocate_dev(), otherwise there will be memleak.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue is a memory leak in the PCI driver for Bosch M_CAN CAN bus support. The sources describe missed cleanup during device removal and probe failure handling. Business impact appears limited to stability or resource exhaustion risk on systems using this driver; no source shows active exploitation or remote compromise.

Executive priority

Handle through normal kernel patch management, with priority for industrial, automotive, embedded, or lab systems using CAN bus interfaces. Current sources do not support emergency treatment, active exploitation claims, or broad internet-facing risk.

Technical view

The m_can PCI probe/remove paths allocate resources with m_can_class_allocate_dev() but did not consistently call m_can_class_free_dev() on cleanup paths. The resolved change adds the missing free call. The bundle lists Linux affected versions, but exact distribution package ranges and backport status require vendor confirmation.

Likely exposure

Exposure is most likely on Linux systems using kernels with the m_can PCI driver and CAN hardware or virtualized PCI device paths. General Linux servers without this driver in use may have little practical exposure, but kernel package status should still be checked.

Exploitation context

CISA KEV status is false in the supplied data. The sources do not cite public exploitation, exploit code, privilege impact, or remote attack capability. The documented issue is a kernel memory leak during driver probe/remove and error handling.

Researcher notes

Evidence is narrow and kernel-specific. The bundle identifies a missed free in m_can PCI cleanup paths and three stable commit references. It does not provide CVSS, CWE, full version range semantics, distribution advisories, or exploitability analysis.

Mitigation direction

  • Update to a kernel or vendor package containing the referenced stable fixes.
  • Check Linux distribution advisories for backported fixes and affected package versions.
  • Prioritize systems that use CAN bus hardware or the m_can PCI driver.
  • If immediate patching is blocked, follow vendor guidance for driver exposure reduction.

Validation and detection

  • Inventory kernel versions and vendor package release levels across Linux assets.
  • Check whether the m_can PCI driver is present, loaded, or required.
  • Confirm fix inclusion by vendor changelog or referenced stable commit IDs.
  • Track this as a stability/resource-leak issue unless new evidence changes impact.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49024 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxcab7ffc0324f053c8fb56c821cdd63dc0383270d, cab7ffc0324f053c8fb56c821cdd63dc0383270d, cab7ffc0324f053c8fb56c821cdd63dc0383270dunaffected
LinuxLinux5.11, 0, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.