CVE-2022-50515
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue() If construction of the array of work queues to handle hpd_rx_irq offload work fails, we need to unwind. Destroy all the created workqueues and the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
Analysis
A memory leak vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver within the hpd_rx_irq_create_workqueue() function, where allocated memory for work queue structures fails to be properly freed if workqueue construction fails partway through initialization. This affects all Linux kernel versions with the vulnerable amdgpu driver code and requires local access with low privileges to trigger. An attacker can repeatedly trigger this condition to exhaust kernel memory and cause a denial of service, though the EPSS score of 0.01% indicates this is rarely exploited in practice. Patches are available from the Linux kernel stable branches.
Technical Context
The vulnerability resides in the AMD GPU (amdgpu) Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically in memory management during workqueue initialization for handling Hot Plug Detect (HPD) RX interrupt offload work. The root cause is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), a memory leak that occurs when the hpd_rx_irq_create_workqueue() function allocates memory for an array of hpd_rx_irq_offload_work_queue structures but fails to deallocate previously created workqueues if a subsequent allocation or construction operation fails. The vulnerability affects Linux kernel implementations across all versions containing this code path, as indicated by the CPE entries (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). When workqueue initialization fails partway through the loop, the function returns an error without calling destroy_workqueue() on already-allocated queues or freeing the struct array, leading to kernel memory exhaustion over repeated trigger attempts.
Affected Products
All Linux kernel versions containing the vulnerable amdgpu DRM driver code are affected, as indicated by the CPE designation cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* which matches all versions, releases, and update combinations. The vulnerability was introduced in the amdgpu driver and has been resolved through multiple stable kernel branch commits available at the Linux kernel stable tree (git.kernel.org/stable). Specific patched commits include 3ba3814c00a4817eb1cd31eff08d921c40e5f3a4, 600de40ed50c8b5ecb9c7a4f41eb882066c15a00, 7136f956c73c4ba50bfeb61653dfd6a9669ea915, and 8b8da09da2701330e7f2c371655887e3d7defe90 across different stable kernel series. Users of Linux systems with AMD GPU hardware and the amdgpu driver enabled should verify whether their kernel version includes these patches.
Remediation
Apply the latest available Linux kernel patch from your distribution's kernel vendor or the Linux kernel stable branches at https://git.kernel.org/stable/. Check for commits 3ba3814c00a4817eb1cd31eff08d921c40e5f3a4, 600de40ed50c8b5ecb9c7a4f41eb882066c15a00, 7136f956c73c4ba50bfeb61653dfd6a9669ea915, and 8b8da09da2701330e7f2c371655887e3d7defe90 in your kernel version's release notes and apply kernel updates provided by your operating system vendor (Red Hat, Ubuntu, SUSE, etc.). Until patching is possible, monitor kernel memory usage on systems with AMD GPU hardware and consider restricting local user access on shared systems to minimize the attack surface. If using cloud infrastructure with AMD GPUs, verify your hypervisor/host kernel is patched. No known workarounds exist to disable the vulnerable code path without recompiling the kernel, so patching is the primary remediation path.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today