-
CVE-2022-50709
- EPSS 0.05%
- Veröffentlicht 24.12.2025 10:55:23
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.
Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
84242f15f911f34aec9b22f99d1e9bff19723dbe
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
2c485f4f2a64258acc5228e78ffb828c68d9e770
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
9661724f6206bd606ecf13acada676a9975d230b
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
b1b4144508adfc585e43856b31baaf9008a3beb4
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
0d2649b288b7b9484e3d4380c0d6c4720a17e473
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
4891a50f5ed8bfcb8f2a4b816b0676f398687783
Status
affected
Version
fb9987d0f748c983bb795a86f47522313f701a08
Version <
b383e8abed41cc6ff1a3b34de75df9397fa4878c
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
2.6.35
Status
affected
Version
0
Version <
2.6.35
Status
unaffected
Version <=
4.14.*
Version
4.14.296
Status
unaffected
Version <=
4.19.*
Version
4.19.262
Status
unaffected
Version <=
5.4.*
Version
5.4.220
Status
unaffected
Version <=
5.10.*
Version
5.10.150
Status
unaffected
Version <=
5.15.*
Version
5.15.75
Status
unaffected
Version <=
5.19.*
Version
5.19.17
Status
unaffected
Version <=
6.0.*
Version
6.0.3
Status
unaffected
Version <=
*
Version
6.1
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.144 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|