github - ghsa-pjr7-jcmf-p5h8

GHSA-PJR7-JCMF-P5H8

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()

When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer.

And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared

peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166

peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166

use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] _syssendmsg+0x16d/0x1e3 [21713.800196] _sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50880"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:03Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[  306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[  306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[  306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[  435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[  435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[  435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010]  ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041]  drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059]  __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076]  __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093]  ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110]  ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137]  cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153]  nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161]  genl_rcv_msg+0x38e/0x3be\n[21713.800166]  netlink_rcv_skb+0x89/0xf7\n[21713.800171]  genl_rcv+0x28/0x36\n[21713.800176]  netlink_unicast+0x179/0x24b\n[21713.800181]  netlink_sendmsg+0x3a0/0x40e\n[21713.800187]  sock_sendmsg+0x72/0x76\n[21713.800192]  ____sys_sendmsg+0x16d/0x1e3\n[21713.800196]  ___sys_sendmsg+0x95/0xd1\n[21713.800200]  __sys_sendmsg+0x85/0xbf\n[21713.800205]  do_syscall_64+0x43/0x55\n[21713.800210]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241]  ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254]  ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265]  ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277]  ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283]  ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---",
  "id": "GHSA-pjr7-jcmf-p5h8",
  "modified": "2025-12-30T15:30:29Z",
  "published": "2025-12-30T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50880"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50880 (GCVE-0-2022-50880)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23

Title

wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15604ab67179ae27e…
	https://git.kernel.org/stable/c/2d6259715c9597a6c…
	https://git.kernel.org/stable/c/f12fc305c127bd07b…
	https://git.kernel.org/stable/c/4494ec1c0bb850eaa…
	https://git.kernel.org/stable/c/08faf07717be0c88b…
	https://git.kernel.org/stable/c/54a3201f3c1ff8135…
	https://git.kernel.org/stable/c/2bf916418d2141b81…
	https://git.kernel.org/stable/c/38245f2d62cd4d1f3…
	https://git.kernel.org/stable/c/f020d9570a04df076…

Impacted products

Vendor

Product

Version

Linux

Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 15604ab67179ae27ea3c7fb24b6df32b143257c4 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2d6259715c9597a6cfa25db8911683eb0073b1c6 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f12fc305c127bd07bb50373e29c6037696f916a8 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 4494ec1c0bb850eaa80fed98e5b041d961011d3e (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 08faf07717be0c88b02b5aa45aad2225dfcdd2dc (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 54a3201f3c1ff813523937da78b5fa7649dbab71 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2bf916418d2141b810c40812433ab4ecfd3c2934 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 38245f2d62cd4d1f38a763a7b4045ab4565b30a0 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f020d9570a04df0762a2ac5c50cf1d8c511c9164 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15604ab67179ae27ea3c7fb24b6df32b143257c4",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "2d6259715c9597a6cfa25db8911683eb0073b1c6",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "f12fc305c127bd07bb50373e29c6037696f916a8",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "4494ec1c0bb850eaa80fed98e5b041d961011d3e",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "08faf07717be0c88b02b5aa45aad2225dfcdd2dc",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "54a3201f3c1ff813523937da78b5fa7649dbab71",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "2bf916418d2141b810c40812433ab4ecfd3c2934",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "38245f2d62cd4d1f38a763a7b4045ab4565b30a0",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "f020d9570a04df0762a2ac5c50cf1d8c511c9164",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[  306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[  306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[  306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[  435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[  435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[  435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010]  ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041]  drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059]  __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076]  __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093]  ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110]  ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137]  cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153]  nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161]  genl_rcv_msg+0x38e/0x3be\n[21713.800166]  netlink_rcv_skb+0x89/0xf7\n[21713.800171]  genl_rcv+0x28/0x36\n[21713.800176]  netlink_unicast+0x179/0x24b\n[21713.800181]  netlink_sendmsg+0x3a0/0x40e\n[21713.800187]  sock_sendmsg+0x72/0x76\n[21713.800192]  ____sys_sendmsg+0x16d/0x1e3\n[21713.800196]  ___sys_sendmsg+0x95/0xd1\n[21713.800200]  __sys_sendmsg+0x85/0xbf\n[21713.800205]  do_syscall_64+0x43/0x55\n[21713.800210]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241]  ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254]  ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265]  ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277]  ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283]  ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:19.551Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"
        },
        {
          "url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"
        }
      ],
      "title": "wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50880",
    "datePublished": "2025-12-30T12:23:19.551Z",
    "dateReserved": "2025-12-30T12:06:07.137Z",
    "dateUpdated": "2025-12-30T12:23:19.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-PJR7-JCMF-P5H8

CVE-2022-50880 (GCVE-0-2022-50880)

Tags

Sightings

Nomenclature