{
  "threat_severity" : "Important",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()",
    "id" : "2426203",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426203"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()\nThis patch fixes a use-after-free in ath9k that occurs in\nath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access\n'drv_priv' that has already been freed by ieee80211_free_hw(), called by\nath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before\nieee80211_free_hw(). Note that urbs from the driver should be killed\nbefore freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will\naccess 'wmi'.\nFound by a modified version of syzkaller.\n==================================================================\nBUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40\nRead of size 8 at addr ffff8881069132a0 by task kworker/0:1/7\nCPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\ndump_stack_lvl+0x8e/0xd1\nprint_address_description.constprop.0.cold+0x93/0x334\n? ath9k_destroy_wmi+0x38/0x40\n? ath9k_destroy_wmi+0x38/0x40\nkasan_report.cold+0x83/0xdf\n? ath9k_destroy_wmi+0x38/0x40\nath9k_destroy_wmi+0x38/0x40\nath9k_hif_usb_disconnect+0x329/0x3f0\n? ath9k_hif_usb_suspend+0x120/0x120\n? usb_disable_interface+0xfc/0x180\nusb_unbind_interface+0x19b/0x7e0\n? usb_autoresume_device+0x50/0x50\ndevice_release_driver_internal+0x44d/0x520\nbus_remove_device+0x2e5/0x5a0\ndevice_del+0x5b2/0xe30\n? __device_link_del+0x370/0x370\n? usb_remove_ep_devs+0x43/0x80\n? remove_intf_ep_devs+0x112/0x1a0\nusb_disable_device+0x1e3/0x5a0\nusb_disconnect+0x267/0x870\nhub_event+0x168d/0x3950\n? rcu_read_lock_sched_held+0xa1/0xd0\n? hub_port_debounce+0x2e0/0x2e0\n? check_irq_usage+0x860/0xf20\n? drain_workqueue+0x281/0x360\n? lock_release+0x640/0x640\n? rcu_read_lock_sched_held+0xa1/0xd0\n? rcu_read_lock_bh_held+0xb0/0xb0\n? lockdep_hardirqs_on_prepare+0x273/0x3e0\nprocess_one_work+0x92b/0x1460\n? pwq_dec_nr_in_flight+0x330/0x330\n? rwlock_bug.part.0+0x90/0x90\nworker_thread+0x95/0xe00\n? __kthread_parkme+0x115/0x1e0\n? process_one_work+0x1460/0x1460\nkthread+0x3a1/0x480\n? set_kthread_struct+0x120/0x120\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the page:\npage:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635\nprep_new_page+0x1aa/0x240\nget_page_from_freelist+0x159a/0x27c0\n__alloc_pages+0x2da/0x6a0\nalloc_pages+0xec/0x1e0\nkmalloc_order+0x39/0xf0\nkmalloc_order_trace+0x19/0x120\n__kmalloc+0x308/0x390\nwiphy_new_nm+0x6f5/0x1dd0\nieee80211_alloc_hw_nm+0x36d/0x2230\nath9k_htc_probe_device+0x9d/0x1e10\nath9k_htc_hw_init+0x34/0x50\nath9k_hif_usb_firmware_cb+0x25f/0x4e0\nrequest_firmware_work_func+0x131/0x240\nprocess_one_work+0x92b/0x1460\nworker_thread+0x95/0xe00\nkthread+0x3a1/0x480\npage last free stack trace:\nfree_pcp_prepare+0x3d3/0x7f0\nfree_unref_page+0x1e/0x3d0\ndevice_release+0xa4/0x240\nkobject_put+0x186/0x4c0\nput_device+0x20/0x30\nath9k_htc_disconnect_device+0x1cf/0x2c0\nath9k_htc_hw_deinit+0x26/0x30\nath9k_hif_usb_disconnect+0x2d9/0x3f0\nusb_unbind_interface+0x19b/0x7e0\ndevice_release_driver_internal+0x44d/0x520\nbus_remove_device+0x2e5/0x5a0\ndevice_del+0x5b2/0xe30\nusb_disable_device+0x1e3/0x5a0\nusb_disconnect+0x267/0x870\nhub_event+0x168d/0x3950\nprocess_one_work+0x92b/0x1460\nMemory state around the buggy address:\nffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff888\n---truncated---", "A use-after-free flaw was discovered in the ath9k USB Wi-Fi driver in the Linux kernel. During the disconnect and deinitialization sequence (ath9k_hif_usb_disconnect()), the driver could attempt to access its private data (drv_priv) after it has already been freed by the hardware teardown call (ieee80211_free_hw() via ath9k_htc_hw_deinit()). This improper ordering can cause the kernel to reference freed memory, leading to undefined behavior including kernel warnings or crashes under certain conditions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50881\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50881\nhttps://lore.kernel.org/linux-cve-announce/2025123025-CVE-2022-50881-88e5@gregkh/T" ],
  "name" : "CVE-2022-50881",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}