{ "threat_severity" : "Low", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()", "id" : "2402219", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402219" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\nIf we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak.", "A reference leak flaw was found in the Linux kernel's Radeon graphics driver in the BIOS retrieval logic. \nA local user on systems with AMD Radeon graphics hardware can trigger this issue when the driver searches for ACPI firmware tables and exits the search loop with an acquired PCI device reference that is never released. This results in a permanent reference leak preventing proper device cleanup and leading to resource exhaustion or denial of service." ], "statement" : "The radeon_atrm_get_bios function uses pci_get_class to iterate through PCI devices searching for compatible ACPI firmware tables. The pci_get_class function returns a device pointer with an incremented reference count and decrements the reference for the previous device. When the loop breaks with a non-NULL pdev (having found a suitable device), the code fails to call pci_dev_put to decrement the reference count. This violates PCI device reference counting rules and prevents the device from being properly cleaned up even when the driver is unloaded.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50520\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50520\nhttps://lore.kernel.org/linux-cve-announce/2025100704-CVE-2022-50520-9faa@gregkh/T" ], "name" : "CVE-2022-50520", "mitigation" : { "value" : "To mitigate this issue, prevent the radeon module from being loaded. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.", "lang" : "en:us" }, "csaw" : false }