CVE-2022-50521
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method() is not freed after the call, so it leads to memory leak. The method results in ACPI buffer is not used, so just pass NULL to wmi_evaluate_method() which fixes the memory leak.
Analysis
A memory leak vulnerability exists in the Linux kernel's mxm-wmi (MXM WMI) platform driver where the ACPI buffer returned by wmi_evaluate_method() is not properly freed after invocation, leading to kernel memory exhaustion and potential denial of service. The vulnerability affects all versions of the Linux kernel with the mxm-wmi driver enabled, particularly systems with NVIDIA/AMD discrete GPU switching support. A local attacker with standard user privileges can repeatedly trigger the affected code path to exhaust kernel memory and crash the system, though the extremely low EPSS score (0.01th percentile) suggests exploitation is not actively observed in the wild.
Technical Context
The mxm-wmi driver is a platform/x86 kernel module that interfaces with ACPI WMI (Windows Management Instrumentation) methods to manage discrete GPU switching on laptops via NVIDIA MXM (Mobile PCI Express Module) standard. The vulnerability is rooted in CWE-401 (Missing Release of Memory After Effective Lifetime), a classic memory leak pattern. When the wmi_evaluate_method() function is called to query GPU status via the mxm_wmi_call_mxds() and mxm_wmi_call_mxmx() functions, it allocates and populates an ACPI buffer (out.pointer) with method results. The original code copied these results but never freed the allocated buffer, causing kernel heap memory to accumulate with unreachable allocations. The fix is trivial: pass NULL as the output buffer parameter to wmi_evaluate_method(), since the method results are unused and only the return status matters.
Affected Products
The Linux kernel in all versions containing the mxm-wmi driver (drivers/platform/x86/mxm-wmi.c) is affected, as indicated by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. This includes all Linux distributions (Fedora, Ubuntu, Debian, RHEL, SUSE, Arch Linux, etc.) that compile and enable the mxm-wmi module, particularly on systems with NVIDIA or AMD discrete GPU switching support (common on older laptops circa 2010-2018). Patches have been applied to the stable kernel branches, with fixes available in kernel.org git commits 14bb4bde3b7b2584734b13747b345caeeb41bea3 (main), 17cd8c46cbec4e6ad593fb9159928b8e7608c11a, 379e7794c5e7485193d25d73614fbbd1e1387f6f, 3cf81501356c9e898ad94b2369ffc805f83f7d7b, 50ac517d6f5348b276f1f663799cf85dce521518, 5b0f81b0808235967868e01336c976e840217108, 727cc0147f5066e359aca65cc6cc5e6d64cc15d8, and 87426ce3bd57ad414b6e2436434ef8128986a9a5 across stable trees.
Remediation
Apply the latest stable kernel update for your distribution, which includes the mxm-wmi memory leak fix. The patches are available in kernel.org stable branches at https://git.kernel.org/stable/ (commit references listed above). For immediate remediation on systems that cannot be rebooted immediately, disable the mxm-wmi module if discrete GPU switching is not required by running 'echo 'blacklist mxm_wmi' | sudo tee /etc/modprobe.d/blacklist-mxm-wmi.conf' followed by reboot. Long-term, upgrade to a kernel version released after 2022-12 when these patches entered stable trees (e.g., Linux 5.10.163+, 5.15.86+, 6.0.19+, or 6.1.5+, depending on your distribution's support cycle). Verify the fix with 'grep -r "pass NULL" /path/to/kernel/source/drivers/platform/x86/mxm-wmi.c' to confirm the wmi_evaluate_method() buffer parameter is NULL.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today