CVE-2022-50318: perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
pci_get_device() will increase the reference count for the returned
'dev'. We need to call pci_dev_put() to decrease the reference count.
Since 'dev' is only used in pci_read_config_dword(), let's add
pci_dev_put() right after it.
This is a Linux kernel resource-management bug in Intel uncore performance-monitoring code. The kernel could leak a PCI device reference in a specific code path. Public data provided does not include a CVSS score, KEV listing, or evidence of active exploitation.
Executive priority
Treat as a routine kernel hygiene item unless your Linux vendor assigns higher severity. There is no supplied evidence of exploitation or internet-facing exposure, but kernel fixes should be folded into standard patch cycles.
Technical view
In perf/x86/intel/uncore, hswep_has_limit_sbox() called pci_get_device(), which increments a device reference count, then used pci_read_config_dword() without releasing the reference. The fix adds pci_dev_put() after the read. Impact details are not fully characterized in the provided sources.
Likely exposure
Exposure is limited to Linux kernels containing this code path, especially Intel x86 systems using affected kernel builds. It is not described as remotely reachable. Distribution backports may make version-string checks unreliable.
Exploitation context
No provided source states active exploitation, and KEV is false. The public description indicates a reference-count leak, not a direct memory corruption or authentication bypass. Practical impact remains unclear from the supplied record.
Researcher notes
The record lacks CVSS, CWE, and detailed impact analysis. The key artifact is the upstream stable fix for a missing pci_dev_put() after pci_get_device(). Validate affectedness through exact kernel source or vendor backport metadata.
Mitigation direction
Check Linux vendor advisories for kernels containing the referenced stable fixes.
Prioritize kernel updates during normal maintenance unless vendor guidance raises severity.
For appliances, request confirmation that the vendor kernel includes the fix.
Avoid assuming upstream version numbers match distribution backported fixes.
Validation and detection
Inventory Linux kernel versions and hardware platforms using Intel x86 systems.
Compare installed kernels against vendor advisories and the referenced stable commits.
Confirm whether distribution changelogs mention CVE-2022-50318 or the uncore perf fix.
Document systems where kernel updates require maintenance windows.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50318 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 15, 2025, 14:48 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.