CVE-2022-50458: clk: tegra: Fix refcount leak in tegra210_clock_init
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra: Fix refcount leak in tegra210_clock_init
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel resource-accounting bug in NVIDIA Tegra210 clock initialization. A device-tree node reference was not released after lookup, causing a reference-count leak. The public record gives no CVSS, CWE, exploitability detail, or active exploitation evidence. Business urgency is mainly for teams shipping or operating Linux on affected Tegra210-class systems.
Executive priority
Treat as a low-priority kernel maintenance item unless Tegra210-based products are in scope. There is no supplied evidence of active exploitation or severe impact, but embedded product teams should fold the fix into scheduled kernel updates.
Technical view
tegra210_clock_init used of_find_matching_node(), which increments the returned device-tree node reference count. The fix adds the missing of_node_put() when the node is no longer needed. Sources identify Linux kernel versions as affected and link multiple stable-branch fixes, but do not describe privilege impact, crashability, or attack preconditions.
Likely exposure
Likely limited to Linux systems using the Tegra210 clock driver path. General Linux fleets without Tegra210-related hardware or device-tree use are less likely to be exposed, but kernel inventory should confirm affected versions and applied stable fixes.
Exploitation context
The CVE is not listed as KEV in the supplied bundle, and the sources do not claim active exploitation. The described issue is a refcount leak, not a documented remote code execution or privilege-escalation path. Exploitability evidence is incomplete.
Researcher notes
The record identifies the root cause and fix pattern, but lacks CVSS, CWE, and attack analysis. Validation should focus on source or build provenance: whether the missing of_node_put() fix is present in the deployed kernel branch.
Mitigation direction
Check vendor kernel advisories for the relevant distribution or device BSP.
Update to a kernel build containing the linked stable fix for your branch.
Prioritize embedded or appliance images using Tegra210 hardware.
Track remediation through normal kernel update and reboot processes.
Validation and detection
Inventory kernels and devices using Tegra210 clock support.
Compare deployed kernel builds against the linked stable fix commits.
Confirm vendor BSP or distribution release notes include this fix.
Run regression testing for boot and clock behavior after kernel updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50458 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
10Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 1, 2025, 11:45 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.