{
  "threat_severity" : "Low",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ath9k_htc: fix uninit value bugs",
    "id" : "2347667",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347667"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nath9k_htc: fix uninit value bugs\nSyzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing\nfield initialization.\nIn htc_connect_service() svc_meta_len and pad are not initialized. Based\non code it looks like in current skb there is no service data, so simply\ninitialize svc_meta_len to 0.\nhtc_issue_send() does not initialize htc_frame_hdr::control array. Based\non firmware code, it will initialize it by itself, so simply zero whole\narray to make KMSAN happy\nFail logs:\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\nusb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\nhif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\nhif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\nhtc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\nhtc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:524 [inline]\nslab_alloc_node mm/slub.c:3251 [inline]\n__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\nkmalloc_reserve net/core/skbuff.c:354 [inline]\n__alloc_skb+0x545/0xf90 net/core/skbuff.c:426\nalloc_skb include/linux/skbuff.h:1126 [inline]\nhtc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\nBytes 4-7 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\nusb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\nhif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\nhif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\nhtc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\nhtc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:524 [inline]\nslab_alloc_node mm/slub.c:3251 [inline]\n__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\nkmalloc_reserve net/core/skbuff.c:354 [inline]\n__alloc_skb+0x545/0xf90 net/core/skbuff.c:426\nalloc_skb include/linux/skbuff.h:1126 [inline]\nhtc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\nBytes 16-17 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7683",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-425.3.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49235\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49235\nhttps://lore.kernel.org/linux-cve-announce/2025022624-CVE-2022-49235-52fb@gregkh/T" ],
  "name" : "CVE-2022-49235",
  "csaw" : false
}