VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50735

CVE-2022-50735

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: do not run mt76u_status_worker if the device is not running

Fix the following NULL pointer dereference avoiding to run mt76u_status_worker thread if the device is not running yet.

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: mt76 mt76u_tx_status_data RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: mt76x02_send_tx_status+0x1d2/0xeb0 mt76x02_tx_status_data+0x8e/0xd0 mt76u_tx_status_data+0xe1/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 ret_from_fork+0x1f/0x30 Modules linked in: --[ end trace 8df5d20fc5040f65 ]-- RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554

Moreover move stat_work schedule out of the for loop.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null-pointer dereference in the Linux kernel's mt76 WiFi driver can be triggered when the status worker runs before the device is fully initialized.

Vulnerability

A null-pointer dereference vulnerability exists in the Linux kernel's mt76 wireless driver, specifically within the mt76u_status_worker function. The root cause is that the driver fails to check whether the device is fully initialized and running before allowing the status worker to execute. During early boot or device setup, the status worker can be scheduled and run while the device's data structures are still in an invalid state, leading to a NULL pointer being accessed [1][2].

Exploitation

This vulnerability is triggered locally by the kernel's workqueue when mt76u_tx_status_data is processed on a device that is not yet running. No special privileges or user interaction are required; the race condition occurs during normal driver initialization. An attacker with the ability to influence device initialization timing or to trigger the status worker prematurely could exploit this condition [1][2].

Impact

Successful exploitation leads to a kernel NULL-pointer dereference, causing a system crash (denial of service). The crash trace shows the dereference occurs in mt76x02_mac_fill_tx_status, where a null pointer is used as a memory address. This can be leveraged to create a local denial-of-service condition against systems using mt76-based WiFi hardware [1][2].

Mitigation

The fix was committed to the Linux kernel stable tree to ensure the status worker only runs when the device is in a running state. Users should apply the latest kernel updates from their distribution or vendor. No workaround is available besides updating the kernel [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
69346de0eb95
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
58fdd84a89b1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f5ac749a0b21
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
bd5dac7ced5a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.