CVE-2022-50709
Unknown Unknown - Not Provided
Uninitialized Memory Read in Linux ath9k WiFi Driver

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50709
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's ath9k wireless driver involves reading uninitialized memory in the function ath9k_htc_rx_msg(). The issue arises because ath9k_hif_usb_rx_stream() can be called with a packet length (pkt_len) of zero, but it allocates memory assuming pkt_len is valid. This leads to allocation of memory that contains uninitialized data, which is then read by ath9k_htc_rx_msg(). The patch fixes this by validating pkt_len before accessing the memory to avoid reading uninitialized values.


How can this vulnerability impact me? :

This vulnerability can lead to the Linux kernel reading uninitialized memory, which may cause unpredictable behavior, potential information leakage, or system instability. Since uninitialized memory can contain sensitive data, this could be exploited to access unintended information or cause denial of service conditions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is addressed by validating the pkt_len value before accessing memory in the ath9k_htc_rx_msg() function. Immediate mitigation steps include updating the Linux kernel to a version that contains the patch which adds this validation to prevent uninitialized memory reads. Alternatively, a workaround involves modifying the kernel code to add __GFP_ZERO flag during skb allocation to zero out memory, but the recommended approach is to apply the official patch or update.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart