CVE-2022-49619: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49619 is a memory leak vulnerability discovered in the Linux kernel's SFP (Small Form-factor Pluggable) driver. The vulnerability was disclosed on February 26, 2025, and affects Linux kernel versions from 5.11 through 5.18.13. The issue occurs in the sfpprobe() function where a memory chunk allocated by sfpalloc() is not properly freed when devmaddaction() fails (NVD).

The vulnerability exists in the drivers/net/phy/sfp.c file where the sfpprobe() function uses devmaddaction() to manage memory cleanup. When this function fails, the memory allocated by sfpalloc() is not properly freed, resulting in a memory leak. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (NVD).

The vulnerability can lead to memory leaks in the Linux kernel's SFP driver, potentially causing system resource depletion over time. While there is no direct impact on confidentiality or integrity, the availability of the system could be compromised due to the accumulation of leaked memory (NVD).

The vulnerability has been fixed by replacing devmaddaction() with devmaddactionorreset() in the sfp_probe() function. The fix ensures proper memory cleanup when the action addition fails. Users should upgrade to patched kernel versions. Multiple Linux distributions have released updates to address this vulnerability (Debian Security).