LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49803: netdevsim: Fix memory leak of nsim_dev->fa_cookie

In the Linux kernel, the following vulnerability has been resolved: netdevsim: Fix memory leak of nsim_dev->fa_cookie kmemleak reports this issue: unreferenced object 0xffff8881bac872d0 (size 8): comm "sh", pid 58603, jiffies 4481524462 (age 68.065s) hex dump (first 8 bytes): 04 00 00 00 de ad be ef ........ backtrace: [<00000000c80b8577>] __kmalloc+0x49/0x150 [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim] [<0000000093d78e77>] full_proxy_write+0xf3/0x180 [<000000005a662c16>] vfs_write+0x1c5/0xaf0 [<000000007aabf84a>] ksys_write+0xed/0x1c0 [<000000005f1d2e47>] do_syscall_64+0x3b/0x90 [<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue occurs in the following scenarios: nsim_dev_trap_fa_cookie_write() kmalloc() fa_cookie nsim_dev->fa_cookie = fa_cookie .. nsim_drv_remove() The fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To fix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue is a memory leak in the netdevsim component. When a simulated network device is removed after writing a trap flow-action cookie, allocated memory was not released. The public record does not show code execution, privilege escalation, data exposure, CVSS scoring, or active exploitation.

Executive priority

Treat this as routine kernel maintenance unless netdevsim is actively used in sensitive test or lab infrastructure. There is no source-backed evidence of active exploitation or high-impact compromise.

Technical view

The described bug is in nsim_dev_trap_fa_cookie_write(), which allocates nsim_dev->fa_cookie. During nsim_drv_remove(), that allocation was not freed. The fix adds kfree(nsim_dev->fa_cookie) on removal. Evidence is limited to the kernel CVE record and stable commit references.

Likely exposure

Exposure appears limited to Linux systems with affected kernels where the netdevsim component is present and used. The source bundle does not identify broader product exposure, distribution package status, or default exploitability conditions.

Exploitation context

The bundle reports no KEV listing and no cited active exploitation. It describes a memory leak detected by kmemleak, not a demonstrated attack chain. Any exploitability beyond resource leakage is not supported by the provided evidence.

Researcher notes

The affected-version data is sparse and partly ambiguous. The most useful validation path is commit-level comparison against the referenced stable fixes and local confirmation of netdevsim availability. Avoid assuming impact beyond the documented leak.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • Check your Linux distribution advisory for the supported fixed package.
  • Prioritize systems that enable or use netdevsim functionality.
  • Track the CVE until vendor severity and package mappings are available.

Validation and detection

  • Inventory kernels matching the affected Linux version data in the CVE record.
  • Check whether netdevsim is built, available, or loaded on relevant systems.
  • Confirm the running kernel includes one referenced stable fix commit.
  • Review vendor advisories for distribution-specific affected and fixed versions.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49803 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd3cbb907ae57fe5da314b51d949b617b538bdeae, d3cbb907ae57fe5da314b51d949b617b538bdeae, d3cbb907ae57fe5da314b51d949b617b538bdeae, d3cbb907ae57fe5da314b51d949b617b538bdeaeunaffected
LinuxLinux5.7, 0, 5.10.260, 5.15.209, 6.0.10, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.