LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50458: clk: tegra: Fix refcount leak in tegra210_clock_init

In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra210_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel resource-accounting bug in NVIDIA Tegra210 clock initialization. A device-tree node reference was not released after lookup, causing a reference-count leak. The public record gives no CVSS, CWE, exploitability detail, or active exploitation evidence. Business urgency is mainly for teams shipping or operating Linux on affected Tegra210-class systems.

Executive priority

Treat as a low-priority kernel maintenance item unless Tegra210-based products are in scope. There is no supplied evidence of active exploitation or severe impact, but embedded product teams should fold the fix into scheduled kernel updates.

Technical view

tegra210_clock_init used of_find_matching_node(), which increments the returned device-tree node reference count. The fix adds the missing of_node_put() when the node is no longer needed. Sources identify Linux kernel versions as affected and link multiple stable-branch fixes, but do not describe privilege impact, crashability, or attack preconditions.

Likely exposure

Likely limited to Linux systems using the Tegra210 clock driver path. General Linux fleets without Tegra210-related hardware or device-tree use are less likely to be exposed, but kernel inventory should confirm affected versions and applied stable fixes.

Exploitation context

The CVE is not listed as KEV in the supplied bundle, and the sources do not claim active exploitation. The described issue is a refcount leak, not a documented remote code execution or privilege-escalation path. Exploitability evidence is incomplete.

Researcher notes

The record identifies the root cause and fix pattern, but lacks CVSS, CWE, and attack analysis. Validation should focus on source or build provenance: whether the missing of_node_put() fix is present in the deployed kernel branch.

Mitigation direction

  • Check vendor kernel advisories for the relevant distribution or device BSP.
  • Update to a kernel build containing the linked stable fix for your branch.
  • Prioritize embedded or appliance images using Tegra210 hardware.
  • Track remediation through normal kernel update and reboot processes.

Validation and detection

  • Inventory kernels and devices using Tegra210 clock support.
  • Compare deployed kernel builds against the linked stable fix commits.
  • Confirm vendor BSP or distribution release notes include this fix.
  • Run regression testing for boot and clock behavior after kernel updates.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50458 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
10Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410, 6b301a059eb2ebed1b12a900e3b21a38e48dd410unaffected
LinuxLinux4.5, 0, 4.9.331, 4.14.296, 4.19.262, 5.4.220, 5.10.150, 5.15.75, 5.19.17, 6.0.3, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.