CVE-2022-50740 (GCVE-0-2022-50740)
Vulnerability from cvelistv5
Published
2025-12-24 13:05
Modified
2025-12-24 13:05
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Syzkaller reports a long-known leak of urbs in
ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb()
(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or
urb->ep fields have not been initialized and usb_kill_urb() returns
immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf
because hif_dev->tx.tx_buf is not supposed to contain urbs which are in
pending state (the pending urbs are stored in hif_dev->tx.tx_pending).
The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6f0706ef39fecc6bf56d67728fe0c94e26b43e9d Version: 795d57a558d106b8a5bc2bd7aeaf707d9a099244 Version: df4318440c1568b7dedc5f7d4e617d0e297a1313 Version: a9990ed2d7ca9339d37c7f67d6f5cb298c3f1b34 Version: 03fb92a432ea5abe5909bca1455b7e44a9380480 Version: 03fb92a432ea5abe5909bca1455b7e44a9380480 Version: 03fb92a432ea5abe5909bca1455b7e44a9380480 Version: 03fb92a432ea5abe5909bca1455b7e44a9380480 Version: 03fb92a432ea5abe5909bca1455b7e44a9380480 Version: b92e116ae36f498858dbb18e29a066c3f5348965 Version: 7f5972267295fe49f8da8eb42bc2eb3d140860c0 Version: 2d72d5ce63c92f56b9f978e8befb5838144176b9 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "134ae5eba41294eff76e4be20d6001b8f0192207",
"status": "affected",
"version": "6f0706ef39fecc6bf56d67728fe0c94e26b43e9d",
"versionType": "git"
},
{
"lessThan": "472312fef2b9eccaa03bd59e0ab2527da945e736",
"status": "affected",
"version": "795d57a558d106b8a5bc2bd7aeaf707d9a099244",
"versionType": "git"
},
{
"lessThan": "eddbb8f7620f9f8008b090a6e10c460074ca575a",
"status": "affected",
"version": "df4318440c1568b7dedc5f7d4e617d0e297a1313",
"versionType": "git"
},
{
"lessThan": "9850791d389b342ae6e573fe8198db0b4d338352",
"status": "affected",
"version": "a9990ed2d7ca9339d37c7f67d6f5cb298c3f1b34",
"versionType": "git"
},
{
"lessThan": "c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "d856f7574bcc1d81de565a857caf32f122cd7ce0",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "c05189a429fdb371dd455c3c466d67ac2ebff152",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "08aa0537ec8cf29ceccae98acc1a534fc12598c1",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "c2a94de38c74e86f49124ac14f093d6a5c377a90",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"status": "affected",
"version": "b92e116ae36f498858dbb18e29a066c3f5348965",
"versionType": "git"
},
{
"status": "affected",
"version": "7f5972267295fe49f8da8eb42bc2eb3d140860c0",
"versionType": "git"
},
{
"status": "affected",
"version": "2d72d5ce63c92f56b9f978e8befb5838144176b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()\n\nSyzkaller reports a long-known leak of urbs in\nath9k_hif_usb_dealloc_tx_urbs().\n\nThe cause of the leak is that usb_get_urb() is called but usb_free_urb()\n(or usb_put_urb()) is not called inside usb_kill_urb() as urb-\u003edev or\nurb-\u003eep fields have not been initialized and usb_kill_urb() returns\nimmediately.\n\nThe patch removes trying to kill urbs located in hif_dev-\u003etx.tx_buf\nbecause hif_dev-\u003etx.tx_buf is not supposed to contain urbs which are in\npending state (the pending urbs are stored in hif_dev-\u003etx.tx_pending).\nThe tx.tx_lock is acquired so there should not be any changes in the list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:38.150Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207"
},
{
"url": "https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736"
},
{
"url": "https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a"
},
{
"url": "https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352"
},
{
"url": "https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d"
},
{
"url": "https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0"
},
{
"url": "https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152"
},
{
"url": "https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1"
},
{
"url": "https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90"
}
],
"title": "wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50740",
"datePublished": "2025-12-24T13:05:38.150Z",
"dateReserved": "2025-12-24T13:02:21.542Z",
"dateUpdated": "2025-12-24T13:05:38.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50740\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:00.703\",\"lastModified\":\"2025-12-24T13:16:00.703\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()\\n\\nSyzkaller reports a long-known leak of urbs in\\nath9k_hif_usb_dealloc_tx_urbs().\\n\\nThe cause of the leak is that usb_get_urb() is called but usb_free_urb()\\n(or usb_put_urb()) is not called inside usb_kill_urb() as urb-\u003edev or\\nurb-\u003eep fields have not been initialized and usb_kill_urb() returns\\nimmediately.\\n\\nThe patch removes trying to kill urbs located in hif_dev-\u003etx.tx_buf\\nbecause hif_dev-\u003etx.tx_buf is not supposed to contain urbs which are in\\npending state (the pending urbs are stored in hif_dev-\u003etx.tx_pending).\\nThe tx.tx_lock is acquired so there should not be any changes in the list.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…