How to fix CVE-2022-50520?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Memory Corruption affected by CVE-2022-50520?

CVE-2022-50520 presents moderate security risk rated CVSS 5.5. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2022-50520

MEDIUM

2025-10-07 416baaa9-dc9f-4396-8d5f-8c081fb06d67

5.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch Released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Oct 07, 2025 - 16:15 nvd

MEDIUM 5.5

Description

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak.

Analysis

This is a reference counting memory leak in the Linux kernel's radeon graphics driver, specifically in the radeon_atrm_get_bios() function where a PCI device pointer obtained via pci_get_class() is not properly released when loop conditions cause early exit. An authenticated local attacker with low privileges can trigger this vulnerability to cause a denial of service through kernel memory exhaustion, as unreleased PCI device objects accumulate in kernel memory. While no public exploit code exists (EPSS 0.01% indicates minimal real-world exploitation probability), the vulnerability affects all Linux kernel versions running the radeon driver and patches are available across multiple stable kernel series.

Technical Context

The vulnerability exists in the radeon Direct Rendering Manager (DRM) driver subsystem, which provides graphics acceleration for AMD Radeon GPUs. The root cause involves improper resource management of PCI device objects returned by pci_get_class(), a kernel API function that increments the reference count of matched PCI devices. When the radeon_atrm_get_bios() function iterates through PCI devices to locate BIOS ROM data, the code can break from the loop without calling pci_dev_put() to decrement the refcount on the current device. This leaves the kernel with a dangling reference that prevents the PCI device structure from being freed, leading to a resource leak classified as a use-after-free condition from the memory management perspective. The affected code path is triggered during GPU initialization when the driver attempts to retrieve the BIOS firmware image from PCI ROM space.

Affected Products

The Linux kernel across all versions with the radeon DRM driver enabled are affected, as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* appearing nine times in the affected products list. The vulnerability specifically impacts systems with AMD Radeon graphics hardware using the open-source radeon driver (as opposed to the newer amdgpu driver). Patches have been released for the Linux kernel in commits 1079df6acf56f99d86b0081a38c84701412cc90e, 3991d98a8a07b71c02f3a39f77d6d9a7f575a5c4, 470a77989037c3ab2b08bf2d026d2c0ddc35ff5b, 6f28c7f67af4ef9bca580ab67ae2d4511797af56, 725a521a18734f65de05b8d353b5bd0d3ca4c37a, 88c6e0995c04b170563b5c894c50a3b2152e18c2, a6cffe54064a5f6c2162a85af3c16c6b453eac4e, b9decada8749b606fd8b4f04a3d6c74f7983d7bc, and e738f82e5b1311e8fb3d1409491a6fcce6418fbe across multiple stable kernel series. The specific affected versions depend on the kernel branch, but the fix has been backported to stable kernels, indicating broad version coverage.

Remediation

Apply the Linux kernel security patch immediately by upgrading to a kernel version that includes one of the nine referenced commits (available at https://git.kernel.org/stable/). Most Linux distributions will receive the fix through their standard kernel update process. For systems running older or custom kernel builds, compile and deploy a kernel version from the stable kernel branches (4.4.y, 4.9.y, 4.14.y, 4.19.y, 5.4.y, 5.10.y, 5.15.y, 5.16.y, or later) that includes the pci_dev_put() fix. If immediate patching is not feasible, users experiencing memory pressure on radeon-equipped systems can temporarily disable the radeon driver in favor of the newer amdgpu driver (if GPU supports it) or use framebuffer mode without hardware acceleration. Monitor system memory usage and kernel logs for signs of PCI device leaks if running vulnerable kernels.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +28

POC: 0

Vendor Status

CVE-2022-50520 vulnerability details – vuln.today

Back

CVE-2022-50520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2022-50520

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code