CVE-2022-50829

Vulnerability

Overview

CVE-2022-50829 is a use-after-free vulnerability in the Linux kernel's ath9k WiFi driver, specifically in the ath9k_hif_usb_reg_in_cb() callback function for USB devices. The root cause is that a socket buffer (skb) can be freed inside ath9k_htc_rx_msg(), and then if usb_submit_urb() fails, the code attempts to free the same skb again, leading to a use-after-free condition. Additionally, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed, causing a memory leak [1][2].

Exploitation

An attacker with physical access or the ability to inject malicious USB traffic into the system could trigger this bug by sending crafted USB packets to a device using the ath9k using the ath9k_htc` driver. The vulnerability is reachable from the USB completion handler, which is a common attack surface for the driver's receive path. No special privileges are required beyond the ability to interact with the USB device [3].

Impact

Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe cases, arbitrary code execution in the kernel context. The use-after-free can be leveraged to overwrite kernel objects and escalate privileges [4].

Mitigation

The fix was applied to the Linux kernel stable branches. Users should update to a kernel version containing the commit that removes the unnecessary nskb and clarifies skb ownership in the callback. No workaround is available; patching is required [1][1][2][3][4].