CVE-2022-50714
Unknown Unknown - Not Provided
Use-After-Free Crash in Linux mt7921e WiFi Driver on Module Removal

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix rmmod crash in driver reload test In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished. [168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] <TASK> [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50714
EUVD
EUVD-2022-55775
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mt76 mt7921e *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a crash issue in the Linux kernel's mt76 wireless driver, specifically the mt7921e component. It occurs during a stress test involving rapid insertion and removal of the driver module (insmod/rmmod). The crash is caused by a missing device reference (mt76_dev) in the mt7921_pci_remove() function, which leads to a use-after-free or invalid memory access when the driver is removed quickly before the probe() function has fully completed initialization.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash when the affected wireless driver module is removed quickly after being inserted. This can lead to system instability or downtime, especially in environments where the driver is frequently reloaded or updated. It may disrupt wireless connectivity and require a system reboot to recover.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by performing an insmod/rmmod stress test on the mt7921e driver. Specifically, load the driver module using 'insmod', do not bring the interface up (do not run 'ifup'), and then quickly remove the module using 'rmmod' within 1 second. If the system crashes or you see a kernel crash dump similar to the provided log (including KASAN user-memory-access errors related to mt7921_pci_remove), the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves avoiding the insmod/rmmod stress test sequence that triggers the crash. Specifically, do not quickly remove the mt7921e driver module after loading it without bringing the interface up. Wait for the probe() to finish properly before removing the module. Applying the patch that fixes the missing mt76_dev in mt7921_pci_remove() when it becomes available is the definitive fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart