{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50880", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:07.137Z", "datePublished": "2025-12-30T12:23:19.551Z", "dateUpdated": "2025-12-30T12:23:19.551Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:23:19.551Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041] drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161] genl_rcv_msg+0x38e/0x3be\n[21713.800166] netlink_rcv_skb+0x89/0xf7\n[21713.800171] genl_rcv+0x28/0x36\n[21713.800176] netlink_unicast+0x179/0x24b\n[21713.800181] netlink_sendmsg+0x3a0/0x40e\n[21713.800187] sock_sendmsg+0x72/0x76\n[21713.800192] ____sys_sendmsg+0x16d/0x1e3\n[21713.800196] ___sys_sendmsg+0x95/0xd1\n[21713.800200] __sys_sendmsg+0x85/0xbf\n[21713.800205] do_syscall_64+0x43/0x55\n[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath10k/mac.c"], "versions": [{"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "15604ab67179ae27ea3c7fb24b6df32b143257c4", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "2d6259715c9597a6cfa25db8911683eb0073b1c6", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "f12fc305c127bd07bb50373e29c6037696f916a8", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "4494ec1c0bb850eaa80fed98e5b041d961011d3e", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "08faf07717be0c88b02b5aa45aad2225dfcdd2dc", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "54a3201f3c1ff813523937da78b5fa7649dbab71", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "2bf916418d2141b810c40812433ab4ecfd3c2934", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "38245f2d62cd4d1f38a763a7b4045ab4565b30a0", "status": "affected", "versionType": "git"}, {"version": "d0eeafad118940fe445ca00f45be5624fea2ec34", "lessThan": "f020d9570a04df0762a2ac5c50cf1d8c511c9164", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath10k/mac.c"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.331", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.296", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.262", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.220", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.150", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.75", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.17", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.3", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "4.9.331"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "4.14.296"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "4.19.262"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.4.220"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.10.150"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.15.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.19.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"}, {"url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"}, {"url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"}, {"url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"}, {"url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"}, {"url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"}, {"url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"}, {"url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"}, {"url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"}], "title": "wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041] drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161] genl_rcv_msg+0x38e/0x3be\n[21713.800166] netlink_rcv_skb+0x89/0xf7\n[21713.800171] genl_rcv+0x28/0x36\n[21713.800176] netlink_unicast+0x179/0x24b\n[21713.800181] netlink_sendmsg+0x3a0/0x40e\n[21713.800187] sock_sendmsg+0x72/0x76\n[21713.800192] ____sys_sendmsg+0x16d/0x1e3\n[21713.800196] ___sys_sendmsg+0x95/0xd1\n[21713.800200] __sys_sendmsg+0x85/0xbf\n[21713.800205] do_syscall_64+0x43/0x55\n[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---"}], "id": "CVE-2022-50880", "lastModified": "2025-12-31T20:43:05.160", "metrics": {}, "published": "2025-12-30T13:16:03.063", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()", "id": "2426109", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426109"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2022-50880", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50880\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50880\nhttps://lore.kernel.org/linux-cve-announce/2025123024-CVE-2022-50880-4c27@gregkh/T"], "threat_severity": "Important"}

{}