CVE-2022-50714
Unknown Unknown - Not Provided

Use-After-Free Crash in Linux mt7921e WiFi Driver on Module Removal

Vulnerability report for CVE-2022-50714, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix rmmod crash in driver reload test In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished. [168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] <TASK> [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second)

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-07-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mt76 mt7921e *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a crash issue in the Linux kernel's mt76 wireless driver, specifically the mt7921e component. It occurs during a stress test involving rapid insertion and removal of the driver module (insmod/rmmod). The crash is caused by a missing device reference (mt76_dev) in the mt7921_pci_remove() function, which leads to a use-after-free or invalid memory access when the driver is removed quickly before the probe() function has fully completed initialization.

Impact Analysis

This vulnerability can cause the Linux kernel to crash when the affected wireless driver module is removed quickly after being inserted. This can lead to system instability or downtime, especially in environments where the driver is frequently reloaded or updated. It may disrupt wireless connectivity and require a system reboot to recover.

Detection Guidance

This vulnerability can be detected by performing an insmod/rmmod stress test on the mt7921e driver. Specifically, load the driver module using 'insmod', do not bring the interface up (do not run 'ifup'), and then quickly remove the module using 'rmmod' within 1 second. If the system crashes or you see a kernel crash dump similar to the provided log (including KASAN user-memory-access errors related to mt7921_pci_remove), the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves avoiding the insmod/rmmod stress test sequence that triggers the crash. Specifically, do not quickly remove the mt7921e driver module after loading it without bringing the interface up. Wait for the probe() to finish properly before removing the module. Applying the patch that fixes the missing mt76_dev in mt7921_pci_remove() when it becomes available is the definitive fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart