{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-08T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: ath11k: fix monitor mode bringup crash",
    "id" : "2419908",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419908"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-237",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath11k: fix monitor mode bringup crash\nWhen the interface is brought up in monitor mode, it leads\nto NULL pointer dereference crash. This crash happens when\nthe packet type is extracted for a SKB. This extraction\nwhich is present in the received msdu delivery path,is\nnot needed for the monitor ring packets since they are\nall RAW packets. Hence appending the flags with\n\"RX_FLAG_ONLY_MONITOR\" to skip that extraction.\nObserved calltrace:\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000064\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004\nCM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000048517000\n[0000000000000064] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: ath11k_pci ath11k qmi_helpers\nCPU: 2 PID: 1781 Comm: napi/-271 Not tainted\n6.1.0-rc5-wt-ath-656295-gef907406320c-dirty #6\nHardware name: Qualcomm Technologies, Inc. IPQ8074/AP-HK10-C2 (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]\nlr : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x5c/0x60 [ath11k]\nsp : ffff80000ef5bb10\nx29: ffff80000ef5bb10 x28: 0000000000000000 x27: ffff000007baafa0\nx26: ffff000014a91ed0 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff800002b77378 x22: ffff000014a91ec0 x21: ffff000006c8d600\nx20: 0000000000000000 x19: ffff800002b77740 x18: 0000000000000006\nx17: 736564203634343a x16: 656e694c20657079 x15: 0000000000000143\nx14: 00000000ffffffea x13: ffff80000ef5b8b8 x12: ffff80000ef5b8c8\nx11: ffff80000a591d30 x10: ffff80000a579d40 x9 : c0000000ffffefff\nx8 : 0000000000000003 x7 : 0000000000017fe8 x6 : ffff80000a579ce8\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 3a35ec12ed7f8900 x1 : 0000000000000000 x0 : 0000000000000052\nCall trace:\nath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]\nath11k_dp_rx_deliver_msdu.isra.42+0xa4/0x3d0 [ath11k]\nath11k_dp_rx_mon_deliver.isra.43+0x2f8/0x458 [ath11k]\nath11k_dp_rx_process_mon_rings+0x310/0x4c0 [ath11k]\nath11k_dp_service_srng+0x234/0x338 [ath11k]\nath11k_pcic_ext_grp_napi_poll+0x30/0xb8 [ath11k]\n__napi_poll+0x5c/0x190\nnapi_threaded_poll+0xf0/0x118\nkthread+0xf4/0x110\nret_from_fork+0x10/0x20\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "A null pointer dereference vulnerability was found in the ath11k wireless driver in the Linux kernel. When an interface is brought up in monitor mode, the driver attempts to extract packet type from RAW monitor ring packets, which lack the expected structure. This causes a kernel crash due to dereferencing a null pointer during SKB processing." ],
  "statement" : "This flaw requires local access and specific hardware (Qualcomm ath11k-based WiFi adapters like QCN9074). Monitor mode is typically used for network analysis and requires elevated privileges to enable.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50627\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50627\nhttps://lore.kernel.org/linux-cve-announce/2025120853-CVE-2022-50627-a907@gregkh/T" ],
  "name" : "CVE-2022-50627",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the ath11k module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}