{ "threat_severity" : "Moderate", "public_date" : "2025-09-15T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()", "id" : "2395431", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395431" }, "cvss3" : { "cvss3_base_score" : "6.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()\nThis patch fixes a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware\nversion string by memcpy() in brcmf_fil_iovar_data_get().\nThe patch ensures buf is null-terminated.\nFound by a modified version of syzkaller.\n[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3\n[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[ 47.601565][ T1897] ==================================================================\n[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0\n[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897\n[ 47.604336][ T1897]\n[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131\n[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event\n[ 47.607453][ T1897] Call Trace:\n[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1\n[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334\n[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf\n[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.610882][ T1897] strsep+0x1b2/0x1f0\n[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0\n[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40\n[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100\n[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0\n[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110\n[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260\n[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[ 47.616288][ T1897] brcmf_attach+0x246/0xd40\n[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0\n[ 47.617280][ T1897] ? kmemdup+0x43/0x50\n[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690\n[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760\n[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250\n[ 47.619950][ T1897] really_probe+0x205/0xb70\n[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0\n[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.622209][ T1897] driver_probe_device+0x4e/0x150\n[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0\n[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0\n[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30\n[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160\n[ 47.625437][ T1897] __device_attach+0x23f/0x3a0\n[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0\n[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0\n[ 47.627057][ T1897] bus_probe_device+0x1da/0x290\n[ 47.627557][ T1897] device_add+0xb7b/0x1eb0\n[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290\n[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0\n[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0\n[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0\n[ 47.630385][ T1897] usb_probe_device+0xbb/0x250\n[ 47.630927][ T1897] ? usb_suspend+0x590/0x590\n[ 47.631397][ T1897] really_probe+0x205/0xb70\n[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0\n[ 47.633002][ \n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50258\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50258\nhttps://lore.kernel.org/linux-cve-announce/2025091551-CVE-2022-50258-1497@gregkh/T" ], "name" : "CVE-2022-50258", "csaw" : false }