CVE-2022-50740
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leak of USB request blocks (urbs) in the ath9k HIF USB driver could lead to resource exhaustion.
Vulnerability
In the Linux kernel's ath9k HIF USB driver, a memory leak occurs in ath9k_hif_usb_dealloc_tx_urbs() due to improper handling of USB request blocks (urbs). The function calls usb_get_urb() without a corresponding usb_free_urb(), and usb_kill_urb() returns early because urb fields are uninitialized, leaving urbs unreleased [1].
Exploitation
The bug is reachable via USB device interaction with the ath9k driver. An attacker with physical USB access or ability to trigger driver deallocation could cause urbs to accumulate. No special privileges beyond USB device access are required; the flaw was discovered by Syzkaller fuzzing [1].
Impact
Repeated triggering of the deallocation path leads to memory exhaustion, potentially causing denial-of-service (DoS) conditions on the system. The leak affects kernel memory, not user-space resources.
Mitigation
Patches have been applied to the Linux kernel stable tree. Commits [1] and [2] fix the issue by removing the erroneous urb kill loop and ensuring proper cleanup under lock. Users should update to a kernel containing these fixes.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9134ae5eba412472312fef2b9eddbb8f7620f9850791d389bc3fb3e9a2c0cd856f7574bccc05189a429fd08aa0537ec8cc2a94de38c74Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1nvd
- git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207nvd
- git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736nvd
- git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352nvd
- git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152nvd
- git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90nvd
- git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884dnvd
- git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0nvd
- git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575anvd
News mentions
0No linked articles in our index yet.