ghsa-92cx-cg65-38vh
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization.
Probable call trace which can trigger use-after-free:
ath9k_htc_probe_device() / htc_handle->drv_priv = priv; / ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed
... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access
In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all STAT macros NULL safe, since syzbot has reported related NULL deref in that macros [1]
{
"affected": [],
"aliases": [
"CVE-2022-50179"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:48Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k: fix use-after-free in ath9k_hif_usb_rx_cb\n\nSyzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The\nproblem was in incorrect htc_handle-\u003edrv_priv initialization.\n\nProbable call trace which can trigger use-after-free:\n\nath9k_htc_probe_device()\n /* htc_handle-\u003edrv_priv = priv; */\n ath9k_htc_wait_for_target() \u003c--- Failed\n ieee80211_free_hw()\t\t \u003c--- priv pointer is freed\n\n\u003cIRQ\u003e\n...\nath9k_hif_usb_rx_cb()\n ath9k_hif_usb_rx_stream()\n RX_STAT_INC()\t\t\u003c--- htc_handle-\u003edrv_priv access\n\nIn order to not add fancy protection for drv_priv we can move\nhtc_handle-\u003edrv_priv initialization at the end of the\nath9k_htc_probe_device() and add helper macro to make\nall *_STAT_* macros NULL safe, since syzbot has reported related NULL\nderef in that macros [1]",
"id": "GHSA-92cx-cg65-38vh",
"modified": "2025-06-18T12:30:53Z",
"published": "2025-06-18T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50179"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.