CVE-2022-50514
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: fix refcount leak on error path When failing to allocate report_desc, opts->refcnt has already been incremented so it needs to be decremented to avoid leaving the options structure permanently locked.
Analysis
A reference count leak exists in the Linux kernel's USB HID gadget driver (f_hid module) where the opts->refcnt is incremented but not properly decremented when report_desc allocation fails, leaving the options structure permanently locked and causing a denial of service condition. This affects all Linux kernel versions running the vulnerable USB gadget code path and requires local privilege to trigger. While the CVSS score is 5.5 (medium) and EPSS is extremely low at 0.01th percentile, patches are available from multiple stable kernel branches, indicating this is a real but low-priority issue with no known active exploitation.
Technical Context
The vulnerability exists in the USB HID (Human Interface Device) gadget driver subsystem within the Linux kernel, specifically in the f_hid.c module which handles dynamic USB HID device emulation. The root cause is a reference counting error (resource leak pattern) occurring when memory allocation fails during gadget options initialization. The opts structure maintains a refcnt field to track object lifecycle; when opts is allocated, refcnt is incremented, but if subsequent report_desc allocation fails, the error path does not decrement refcnt before returning, violating proper reference counting semantics. This causes the options object to remain referenced indefinitely, preventing proper cleanup and resource deallocation. The affected products span all Linux kernel versions (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*), though specific vulnerable version ranges are not explicitly enumerated in the provided data, suggesting the vulnerability affects a broad swath of kernel releases until patched.
Affected Products
All Linux kernel versions using the USB HID gadget driver (f_hid module) are affected, as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. The vulnerability is not version-specific in the available intelligence, suggesting it may affect a wide range of kernel releases. Patches are available in the stable Linux kernel branches, with fixes committed via commit IDs 216437dd64fce36791a3b6cc8f8013df36856958, 70a3288a7586526315105c699b687d78cd32559a, 80dc47e751a837106c09bec73964ff8f7ea280b4, 95412c932b3c9e8cc4431dac4fac8fcd80d54982, 9d4a0aca8a75550d3456c8de339a341dc4536ec5, ba78f7c10606719f702c04a15fb0471507b32d7b, and e88b89a096af0001bcff6bf7ad2feb1486487173 across various stable kernel branches, accessible via https://git.kernel.org/stable/.
Remediation
Apply the official kernel patches available from the Linux kernel stable branches by upgrading to a patched kernel version or cherry-picking the referenced fixes into your running kernel. The patches (accessible at https://git.kernel.org/stable/) address the reference count leak by ensuring opts->refcnt is properly decremented in the error path when report_desc allocation fails. For users unable to immediately patch, disable or avoid loading the USB HID gadget driver module if not required for system functionality (rmmod f_hid or blacklist the module). Systems using USB gadget HID emulation in embedded or development contexts should prioritize patching as part of their next scheduled kernel update cycle. Consult your Linux distribution's security advisories for pre-built patched kernel packages specific to your distribution version.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today