ghsa-3fvr-fgq3-468j
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
{
"affected": [],
"aliases": [
"CVE-2022-50740"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T13:16:00Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()\n\nSyzkaller reports a long-known leak of urbs in\nath9k_hif_usb_dealloc_tx_urbs().\n\nThe cause of the leak is that usb_get_urb() is called but usb_free_urb()\n(or usb_put_urb()) is not called inside usb_kill_urb() as urb-\u003edev or\nurb-\u003eep fields have not been initialized and usb_kill_urb() returns\nimmediately.\n\nThe patch removes trying to kill urbs located in hif_dev-\u003etx.tx_buf\nbecause hif_dev-\u003etx.tx_buf is not supposed to contain urbs which are in\npending state (the pending urbs are stored in hif_dev-\u003etx.tx_pending).\nThe tx.tx_lock is acquired so there should not be any changes in the list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
"id": "GHSA-3fvr-fgq3-468j",
"modified": "2025-12-24T15:30:33Z",
"published": "2025-12-24T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50740"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.