CVE-2022-50179

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The
problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed <IRQ>
...
ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move
htc_handle->drv_priv initialization at the end of the
ath9k_htc_probe_device() and add helper macro to make
all *_STAT_* macros NULL safe, since syzbot has reported related NULL
deref in that macros [1]

In the Linux kernel, the following vulnerability has been resolved: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed <IRQ> ... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all *_STAT_* macros NULL safe, since syzbot has reported related NULL deref in that macros [1]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-06-18 CVE Reserved
2025-06-18 CVE Published
2025-06-18 CVE Updated
2025-06-24 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e	2022-08-25
https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80	2022-08-25
https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec	2022-08-25
https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5	2022-08-21
https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a	2022-08-17
https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6	2022-08-17
https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27	2022-08-17
https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533	2022-06-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.14.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.14.291"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.19.256 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.19.256"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.4.211 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.4.211"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.10.137 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.10.137"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.15.61 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.15.61"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.18.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.18.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.19.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.19.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 6.0"		en		Affected