CVE-2022-50179
Published: Jun 18, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed <IRQ> ... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all *_STAT_* macros NULL safe, since syzbot has reported related NULL deref in that macros [1]
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected fb9987d0f748c983bb795a86f47522313f701a08 - < 62bc1ea5c7401d77eaf73d0c6a15f3d2e742856eaffected fb9987d0f748c983bb795a86f47522313f701a08 - < ab7a0ddf5f1cdec63cb21840369873806fc36d80affected fb9987d0f748c983bb795a86f47522313f701a08 - < e9e21206b8ea62220b486310c61277e7ebfe7cecaffected fb9987d0f748c983bb795a86f47522313f701a08 - < eccd7c3e2596b574241a7670b5b53f5322f470e5affected fb9987d0f748c983bb795a86f47522313f701a08 - < 03ca957c5f7b55660957eda20b5db4110319ac7a+3 more versions |
Linux | Linux | affected 2.6.35unaffected 0 - < 2.6.35unaffected 4.14.291 - <= 4.14.*unaffected 4.19.256 - <= 4.19.*unaffected 5.4.211 - <= 5.4.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now