CVE-2022-50716
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
syzkaller reported use-after-free with the stack trace like below [1]:
[ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] [ 39.023237][ C3]
In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()):
ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd()
If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure.
This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's ar5523 wireless driver occurs when a USB command times out, allowing potential memory corruption.
Root
Cause
A use-after-free bug exists in the ar5523 wireless driver of the Linux kernel. When a command submitted via ar5523_cmd() times out, the associated URB (USB Request Block) completion callback (ar5523_cmd_tx_cb) may still execute after the command memory has been freed. This race condition leads to a use-after-free, as reported by syzkaller with a KASAN (Kernel Address Sanitizer) warning [1].
Exploitation
The vulnerability is triggered through a malicious USB device or a compromised USB controller that can cause a command timeout. The attack requires physical access or a compromised USB host stack to inject a delayed URB completion. No authentication is needed; the attacker only needs to be able to send USB control transfers to the driver.
Impact
An attacker can exploit this use-after-free to read or write freed kernel memory, potentially leading to privilege escalation, denial of service (kernel crash), or arbitrary code execution in the kernel context. The bug is classified as a high-severity memory safety issue.
Mitigation
Patches have been applied to the Linux kernel stable branches to fix this vulnerability. The fix ensures that the command completion callback properly checks whether the command is still pending before accessing its memory. Users should update to a kernel version containing the commit, such as those referenced in the stable tree [2], [3], [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9c9ba3fbf6a48340524ae7b536447beefd2137360b323e0348af52492717e3eca9697c2f3601ae89375039aef34e1ae35b6702a942a06Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12fnvd
- git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bdnvd
- git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55nvd
- git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820nvd
- git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516nvd
- git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6nvd
- git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88nvd
- git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797nvd
- git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3nvd
News mentions
0No linked articles in our index yet.