CVE-2022-49121

low-risk

Published 2025-02-26

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix tag leaks on error In pm8001_chip_set_dev_state_req(), pm8001_chip_fw_flash_update_req(), pm80xx_chip_phy_ctl_req() and pm8001_chip_reg_dev_req() add missing calls to pm8001_tag_free() to free the allocated tag when pm8001_mpi_build_cmd() fails. Similarly, in pm8001_exec_internal_task_abort(), if the chip ->task_abort method fails, the tag allocated for the abort request task must be freed. Add the missing call to pm8001_tag_free().

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Linux Kernel

Affected Vendors

Linux

References (5)

Patch https://git.kernel.org/stable/c/43c617eefab7077d69f5989ad3e2a273da1d728b

Patch https://git.kernel.org/stable/c/4c8f04b1905cd4b776d0b720463c091545478ef7

Patch https://git.kernel.org/stable/c/9cc72bcc1c096ed42c91646f130d4b4191580a4c

Patch https://git.kernel.org/stable/c/a0bb65eadbf942024226241d9d99fed17168940b

Patch https://git.kernel.org/stable/c/bdc74815f1c39905054b7d47399e0260b201b14d

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal