CVE-2022-50871

In the Linux kernel's ath11k wireless driver, the qmi_msg_handler data structure was not properly null-terminated. The QMI module requires the handler array to end with a null entry; without it, if a handler for a particular message ID is missing, the search loop may continue past the array boundaries, leading to an infinite loop and out-of-bounds memory access in qmi_invoke_handler() [1].

The vulnerability is exploitable by sending a crafted QMI message that does not have a corresponding handler in the array. This can be done without authentication if the attacker has access to the QMI interface, which is typically accessible from the host to the firmware on the wireless card [1].

An attacker who successfully triggers the out-of-bounds access could cause a denial of service (system crash or hang) or potentially escalate privileges within the kernel context. As of the fix, this issue is known to affect IPQ8074 hardware and is fixed by Linux kernel commit ed3725e15a15 [1].

The patch is included in stable kernel updates. System administrators should apply the latest kernel updates from their distribution. There is no workaround other than patching the kernel.