{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50881", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:07.137Z", "datePublished": "2025-12-30T12:23:20.343Z", "dateUpdated": "2026-01-02T15:05:15.332Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-01-02T15:05:15.332Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()\n\nThis patch fixes a use-after-free in ath9k that occurs in\nath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access\n'drv_priv' that has already been freed by ieee80211_free_hw(), called by\nath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before\nieee80211_free_hw(). Note that urbs from the driver should be killed\nbefore freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will\naccess 'wmi'.\n\nFound by a modified version of syzkaller.\n\n==================================================================\nBUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40\nRead of size 8 at addr ffff8881069132a0 by task kworker/0:1/7\n\nCPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x8e/0xd1\n print_address_description.constprop.0.cold+0x93/0x334\n ? ath9k_destroy_wmi+0x38/0x40\n ? ath9k_destroy_wmi+0x38/0x40\n kasan_report.cold+0x83/0xdf\n ? ath9k_destroy_wmi+0x38/0x40\n ath9k_destroy_wmi+0x38/0x40\n ath9k_hif_usb_disconnect+0x329/0x3f0\n ? ath9k_hif_usb_suspend+0x120/0x120\n ? usb_disable_interface+0xfc/0x180\n usb_unbind_interface+0x19b/0x7e0\n ? usb_autoresume_device+0x50/0x50\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n ? __device_link_del+0x370/0x370\n ? usb_remove_ep_devs+0x43/0x80\n ? remove_intf_ep_devs+0x112/0x1a0\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? hub_port_debounce+0x2e0/0x2e0\n ? check_irq_usage+0x860/0xf20\n ? drain_workqueue+0x281/0x360\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x92b/0x1460\n ? pwq_dec_nr_in_flight+0x330/0x330\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x95/0xe00\n ? __kthread_parkme+0x115/0x1e0\n ? process_one_work+0x1460/0x1460\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the page:\npage:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635\n prep_new_page+0x1aa/0x240\n get_page_from_freelist+0x159a/0x27c0\n __alloc_pages+0x2da/0x6a0\n alloc_pages+0xec/0x1e0\n kmalloc_order+0x39/0xf0\n kmalloc_order_trace+0x19/0x120\n __kmalloc+0x308/0x390\n wiphy_new_nm+0x6f5/0x1dd0\n ieee80211_alloc_hw_nm+0x36d/0x2230\n ath9k_htc_probe_device+0x9d/0x1e10\n ath9k_htc_hw_init+0x34/0x50\n ath9k_hif_usb_firmware_cb+0x25f/0x4e0\n request_firmware_work_func+0x131/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\npage last free stack trace:\n free_pcp_prepare+0x3d3/0x7f0\n free_unref_page+0x1e/0x3d0\n device_release+0xa4/0x240\n kobject_put+0x186/0x4c0\n put_device+0x20/0x30\n ath9k_htc_disconnect_device+0x1cf/0x2c0\n ath9k_htc_hw_deinit+0x26/0x30\n ath9k_hif_usb_disconnect+0x2d9/0x3f0\n usb_unbind_interface+0x19b/0x7e0\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n process_one_work+0x92b/0x1460\n\nMemory state around the buggy address:\n ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff888\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath9k/hif_usb.c", "drivers/net/wireless/ath/ath9k/htc_drv_init.c"], "versions": [{"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908", "lessThan": "99ff971b62e5bd5dee65bbe9777375206f5db791", "status": "affected", "versionType": "git"}, {"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908", "lessThan": "634a5471a6bd774c0d0fa448dfa6ec593e899ec9", "status": "affected", "versionType": "git"}, {"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908", "lessThan": "1f137c634a8c8faba648574f687805641e62f92e", "status": "affected", "versionType": "git"}, {"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908", "lessThan": "de15e8bbd9eb26fe94a06d0ec7be82dc490eb729", "status": "affected", "versionType": "git"}, {"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908", "lessThan": "f099c5c9e2ba08a379bd354a82e05ef839ae29ac", "status": "affected", "versionType": "git"}, {"version": "5c42f9bfb4c22898ed3d2806d75e2e58522a5edd", "status": "affected", "versionType": "git"}, {"version": "44736603a7099d2a9b48c669e43a689588e272a5", "status": "affected", "versionType": "git"}, {"version": "406a2fbfabbf7ed9ed21884a82c07fabc6fe0b68", "status": "affected", "versionType": "git"}, {"version": "66a4ca83d50bb38c814190af2188868153cce5de", "status": "affected", "versionType": "git"}, {"version": "3eb802924486a923585b344340a5536d91989a45", "status": "affected", "versionType": "git"}, {"version": "1bc633311a37913293c3c0a1b0f5261c49e3d5dc", "status": "affected", "versionType": "git"}, {"version": "378d2734bf603bac4959bce2cadf5927aa2beffc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath9k/hif_usb.c", "drivers/net/wireless/ath/ath9k/htc_drv_init.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.99", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.16", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.3", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.2.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.228"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.228"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.185"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.129"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791"}, {"url": "https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9"}, {"url": "https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e"}, {"url": "https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729"}, {"url": "https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac"}], "title": "wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()\n\nThis patch fixes a use-after-free in ath9k that occurs in\nath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access\n'drv_priv' that has already been freed by ieee80211_free_hw(), called by\nath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before\nieee80211_free_hw(). Note that urbs from the driver should be killed\nbefore freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will\naccess 'wmi'.\n\nFound by a modified version of syzkaller.\n\n==================================================================\nBUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40\nRead of size 8 at addr ffff8881069132a0 by task kworker/0:1/7\n\nCPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x8e/0xd1\n print_address_description.constprop.0.cold+0x93/0x334\n ? ath9k_destroy_wmi+0x38/0x40\n ? ath9k_destroy_wmi+0x38/0x40\n kasan_report.cold+0x83/0xdf\n ? ath9k_destroy_wmi+0x38/0x40\n ath9k_destroy_wmi+0x38/0x40\n ath9k_hif_usb_disconnect+0x329/0x3f0\n ? ath9k_hif_usb_suspend+0x120/0x120\n ? usb_disable_interface+0xfc/0x180\n usb_unbind_interface+0x19b/0x7e0\n ? usb_autoresume_device+0x50/0x50\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n ? __device_link_del+0x370/0x370\n ? usb_remove_ep_devs+0x43/0x80\n ? remove_intf_ep_devs+0x112/0x1a0\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? hub_port_debounce+0x2e0/0x2e0\n ? check_irq_usage+0x860/0xf20\n ? drain_workqueue+0x281/0x360\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x92b/0x1460\n ? pwq_dec_nr_in_flight+0x330/0x330\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x95/0xe00\n ? __kthread_parkme+0x115/0x1e0\n ? process_one_work+0x1460/0x1460\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the page:\npage:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635\n prep_new_page+0x1aa/0x240\n get_page_from_freelist+0x159a/0x27c0\n __alloc_pages+0x2da/0x6a0\n alloc_pages+0xec/0x1e0\n kmalloc_order+0x39/0xf0\n kmalloc_order_trace+0x19/0x120\n __kmalloc+0x308/0x390\n wiphy_new_nm+0x6f5/0x1dd0\n ieee80211_alloc_hw_nm+0x36d/0x2230\n ath9k_htc_probe_device+0x9d/0x1e10\n ath9k_htc_hw_init+0x34/0x50\n ath9k_hif_usb_firmware_cb+0x25f/0x4e0\n request_firmware_work_func+0x131/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\npage last free stack trace:\n free_pcp_prepare+0x3d3/0x7f0\n free_unref_page+0x1e/0x3d0\n device_release+0xa4/0x240\n kobject_put+0x186/0x4c0\n put_device+0x20/0x30\n ath9k_htc_disconnect_device+0x1cf/0x2c0\n ath9k_htc_hw_deinit+0x26/0x30\n ath9k_hif_usb_disconnect+0x2d9/0x3f0\n usb_unbind_interface+0x19b/0x7e0\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n process_one_work+0x92b/0x1460\n\nMemory state around the buggy address:\n ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff888\n---truncated---"}], "id": "CVE-2022-50881", "lastModified": "2025-12-31T20:43:05.160", "metrics": {}, "published": "2025-12-30T13:16:03.173", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()", "id": "2426203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426203"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2022-50881", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50881\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50881\nhttps://lore.kernel.org/linux-cve-announce/2025123025-CVE-2022-50881-88e5@gregkh/T"], "threat_severity": "Important"}

{}