CVE-2022-50709
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter.
Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing packet length validation in the Linux kernel's ath9k WiFi driver allows uninitialized memory reads via USB, potentially leaking sensitive data.
Vulnerability
CVE-2022-50709 is a flaw in the Linux kernel's ath9k WiFi driver, specifically in the ath9k_htc_rx_msg() function. The root cause is that the driver does not validate the packet length (pkt_len) received from a USB endpoint before using it to allocate a socket buffer via __dev_skb_alloc(). An attacker can send a crafted USB request (e.g., via ioctl(USB_RAW_IOCTL_EP_WRITE)) with pkt_len = 0, causing the driver to allocate an skb of insufficient size and then read from uninitialized kernel memory [1][2].
Exploitation
Exploitation requires physical access or the ability to send malicious USB control transfers to a device using the ath9k_htc driver. No authentication is needed beyond the ability to interact with the USB device. The attacker triggers the vulnerable code path by writing a zero-length packet to the USB endpoint, which the driver's ath9k_hif_usb_rx_stream() function processes without checking the validity of pkt_len [1][2].
Impact
A successful exploit could allow an attacker to read uninitialized kernel memory, potentially leaking sensitive information such sensitive information as cryptographic keys, passwords, or other kernel data. The impact is limited to information disclosure; the vulnerability does not directly enable code execution or privilege escalation [1][2].
Mitigation
The Linux kernel community has addressed this issue by adding a validation check in ath9k_htc_rx_msg() to verify `pkt_len before accessing the skb data. The fix was backported to multiple stable kernel branches. Users should apply the latest kernel updates from their distribution to remediate the vulnerability [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
89661724f6206b1b4144508adf3d2a3b7e29084242f15f9112c485f4f2a640d2649b288b74891a50f5ed8b383e8abed41Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473nvd
- git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770nvd
- git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783nvd
- git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbenvd
- git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230bnvd
- git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4nvd
- git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878cnvd
- git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02anvd
News mentions
0No linked articles in our index yet.