CVE-2022-49803: netdevsim: Fix memory leak of nsim_dev->fa_cookie
In the Linux kernel, the following vulnerability has been resolved:
netdevsim: Fix memory leak of nsim_dev->fa_cookie
kmemleak reports this issue:
unreferenced object 0xffff8881bac872d0 (size 8):
comm "sh", pid 58603, jiffies 4481524462 (age 68.065s)
hex dump (first 8 bytes):
04 00 00 00 de ad be ef ........
backtrace:
[<00000000c80b8577>] __kmalloc+0x49/0x150
[<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim]
[<0000000093d78e77>] full_proxy_write+0xf3/0x180
[<000000005a662c16>] vfs_write+0x1c5/0xaf0
[<000000007aabf84a>] ksys_write+0xed/0x1c0
[<000000005f1d2e47>] do_syscall_64+0x3b/0x90
[<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
The issue occurs in the following scenarios:
nsim_dev_trap_fa_cookie_write()
kmalloc() fa_cookie
nsim_dev->fa_cookie = fa_cookie
..
nsim_drv_remove()
The fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To
fix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove().
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is a memory leak in the netdevsim component. When a simulated network device is removed after writing a trap flow-action cookie, allocated memory was not released. The public record does not show code execution, privilege escalation, data exposure, CVSS scoring, or active exploitation.
Executive priority
Treat this as routine kernel maintenance unless netdevsim is actively used in sensitive test or lab infrastructure. There is no source-backed evidence of active exploitation or high-impact compromise.
Technical view
The described bug is in nsim_dev_trap_fa_cookie_write(), which allocates nsim_dev->fa_cookie. During nsim_drv_remove(), that allocation was not freed. The fix adds kfree(nsim_dev->fa_cookie) on removal. Evidence is limited to the kernel CVE record and stable commit references.
Likely exposure
Exposure appears limited to Linux systems with affected kernels where the netdevsim component is present and used. The source bundle does not identify broader product exposure, distribution package status, or default exploitability conditions.
Exploitation context
The bundle reports no KEV listing and no cited active exploitation. It describes a memory leak detected by kmemleak, not a demonstrated attack chain. Any exploitability beyond resource leakage is not supported by the provided evidence.
Researcher notes
The affected-version data is sparse and partly ambiguous. The most useful validation path is commit-level comparison against the referenced stable fixes and local confirmation of netdevsim availability. Avoid assuming impact beyond the documented leak.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
Check your Linux distribution advisory for the supported fixed package.
Prioritize systems that enable or use netdevsim functionality.
Track the CVE until vendor severity and package mappings are available.
Validation and detection
Inventory kernels matching the affected Linux version data in the CVE record.
Check whether netdevsim is built, available, or loaded on relevant systems.
Confirm the running kernel includes one referenced stable fix commit.
Review vendor advisories for distribution-specific affected and fixed versions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49803 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 1, 2025, 14:09 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.