CVE-2022-49024: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods
In the Linux kernel, the following vulnerability has been resolved:
can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods
In m_can_pci_remove() and error handling path of m_can_pci_probe(),
m_can_class_free_dev() should be called to free resource allocated by
m_can_class_allocate_dev(), otherwise there will be memleak.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is a memory leak in the PCI driver for Bosch M_CAN CAN bus support. The sources describe missed cleanup during device removal and probe failure handling. Business impact appears limited to stability or resource exhaustion risk on systems using this driver; no source shows active exploitation or remote compromise.
Executive priority
Handle through normal kernel patch management, with priority for industrial, automotive, embedded, or lab systems using CAN bus interfaces. Current sources do not support emergency treatment, active exploitation claims, or broad internet-facing risk.
Technical view
The m_can PCI probe/remove paths allocate resources with m_can_class_allocate_dev() but did not consistently call m_can_class_free_dev() on cleanup paths. The resolved change adds the missing free call. The bundle lists Linux affected versions, but exact distribution package ranges and backport status require vendor confirmation.
Likely exposure
Exposure is most likely on Linux systems using kernels with the m_can PCI driver and CAN hardware or virtualized PCI device paths. General Linux servers without this driver in use may have little practical exposure, but kernel package status should still be checked.
Exploitation context
CISA KEV status is false in the supplied data. The sources do not cite public exploitation, exploit code, privilege impact, or remote attack capability. The documented issue is a kernel memory leak during driver probe/remove and error handling.
Researcher notes
Evidence is narrow and kernel-specific. The bundle identifies a missed free in m_can PCI cleanup paths and three stable commit references. It does not provide CVSS, CWE, full version range semantics, distribution advisories, or exploitability analysis.
Mitigation direction
Update to a kernel or vendor package containing the referenced stable fixes.
Check Linux distribution advisories for backported fixes and affected package versions.
Prioritize systems that use CAN bus hardware or the m_can PCI driver.
If immediate patching is blocked, follow vendor guidance for driver exposure reduction.
Validation and detection
Inventory kernel versions and vendor package release levels across Linux assets.
Check whether the m_can PCI driver is present, loaded, or required.
Confirm fix inclusion by vendor changelog or referenced stable commit IDs.
Track this as a stability/resource-leak issue unless new evidence changes impact.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49024 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.