CVE-2022-49130: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ath11k: mhi: use mhi_sync_power_up() If amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The reason for that was that we were using mhi_async_power_up() which does not check any errors. But mhi_sync_power_up() on the other hand does check for errors so let's use that to fix the crash. I was not able to find a reason why an async version was used. ath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from ath11k_hif_power_up(), which can sleep. So sync version should be safe to use here. [ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI [ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567 [ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k] [ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08 [ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246 [ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455 [ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80 [ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497 [ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000 [ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8 [ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000 [ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0 [ 145.570623] Call Trace: [ 145.570675] <TASK> [ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k] [ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k] [ 145.570864] ? tasklet_init+0x150/0x150 [ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k] [ 145.570986] ? tasklet_clear_sched+0x42/0xe0 [ 145.571042] ? tasklet_kill+0xe9/0x1b0 [ 145.571095] ? tasklet_clear_sched+0xe0/0xe0 [ 145.571148] ? irq_has_action+0x120/0x120 [ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k] [ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci] [ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k] [ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k] [ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci] [ 145.571553] pci_device_remove+0x9a/0x1c0 [ 145.571605] __device_release_driver+0x332/0x660 [ 145.571659] driver_detach+0x1e7/0x2c0 [ 145.571712] bus_remove_driver+0xe2/0x2d0 [ 145.571772] pci_unregister_driver+0x21/0x250 [ 145.571826] __do_sys_delete_module+0x30a/0x4b0 [ 145.571879] ? free_module+0xac0/0xac0 [ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50 [ 145.572039] ? lockdep_hardirqs_on+0x79/0x100 [ 145.572097] do_syscall_64+0x3b/0x90 [ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
AI Analysis
Technical Summary
CVE-2022-49130 is a vulnerability identified in the Linux kernel's ath11k wireless driver, specifically related to the MHI (Modem Host Interface) power-up sequence. The issue arises when the amss.bin firmware file is missing, causing the ath11k driver to crash during the removal of the ath11k_pci module (rmmod operation). The root cause is the use of an asynchronous power-up function (mhi_async_power_up()) that does not verify error conditions, leading to a null pointer dereference and a general protection fault in kernel space. The fix involves switching to a synchronous power-up function (mhi_sync_power_up()) that properly checks for errors, preventing the crash. The vulnerability manifests as a kernel crash (general protection fault) due to dereferencing a null pointer when the driver attempts to access hardware registers without the required firmware loaded. This can cause a denial of service (DoS) by crashing the kernel or causing instability. The vulnerability was observed on Intel NUC hardware running Linux kernel version 5.16.0-wt-ath+ with ath11k driver versions tied to specific git commit hashes. The vulnerability does not appear to require user interaction or authentication beyond the ability to remove the kernel module, which typically requires root privileges. No known exploits are reported in the wild, and no CVSS score has been assigned. The issue is technical and specific to the ath11k wireless driver handling Qualcomm WCN6855 hardware or similar chipsets using the MHI interface. The vulnerability is primarily a stability and availability concern due to kernel crashes triggered by missing firmware files during module removal.
Potential Impact
For European organizations, the impact of CVE-2022-49130 centers on system availability and stability, particularly for those using Linux systems with Qualcomm ath11k wireless chipsets (e.g., WCN6855) in their infrastructure or endpoint devices. A successful trigger of this vulnerability can cause kernel crashes leading to denial of service, potentially disrupting critical network connectivity and operations. This is especially relevant for organizations relying on Linux-based wireless networking in environments such as enterprise offices, data centers, or industrial control systems. While exploitation requires root privileges to remove the kernel module, the vulnerability could be leveraged by attackers who have already gained elevated access to cause system instability or to cover tracks by forcing reboots. The lack of user interaction requirement means automated scripts or malware with root access could trigger the crash. However, the absence of known exploits and the technical nature of the flaw limit its immediate threat level. Still, organizations with Linux systems running affected kernel versions and ath11k drivers should consider the risk of unexpected outages and potential operational disruption.
Mitigation Recommendations
1. Ensure Linux systems are updated to kernel versions where this vulnerability is patched, specifically where the ath11k driver uses mhi_sync_power_up() instead of the asynchronous variant. 2. Verify that the required firmware files (amss.bin) for Qualcomm ath11k wireless devices are correctly installed and accessible to prevent triggering the crash due to missing firmware. 3. Restrict root-level access to trusted administrators only, minimizing the risk of malicious module removal or manipulation. 4. Implement monitoring and alerting for kernel module removals and system crashes to detect potential exploitation attempts early. 5. For critical systems, consider isolating or limiting the use of affected wireless hardware until patches are applied. 6. Review and harden system configurations to prevent unauthorized module unloading or kernel manipulation. 7. Maintain an inventory of hardware and driver versions to quickly identify systems at risk and prioritize patching efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49130: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ath11k: mhi: use mhi_sync_power_up() If amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The reason for that was that we were using mhi_async_power_up() which does not check any errors. But mhi_sync_power_up() on the other hand does check for errors so let's use that to fix the crash. I was not able to find a reason why an async version was used. ath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from ath11k_hif_power_up(), which can sleep. So sync version should be safe to use here. [ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI [ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567 [ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k] [ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08 [ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246 [ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455 [ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80 [ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497 [ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000 [ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8 [ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000 [ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0 [ 145.570623] Call Trace: [ 145.570675] <TASK> [ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k] [ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k] [ 145.570864] ? tasklet_init+0x150/0x150 [ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k] [ 145.570986] ? tasklet_clear_sched+0x42/0xe0 [ 145.571042] ? tasklet_kill+0xe9/0x1b0 [ 145.571095] ? tasklet_clear_sched+0xe0/0xe0 [ 145.571148] ? irq_has_action+0x120/0x120 [ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k] [ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci] [ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k] [ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k] [ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci] [ 145.571553] pci_device_remove+0x9a/0x1c0 [ 145.571605] __device_release_driver+0x332/0x660 [ 145.571659] driver_detach+0x1e7/0x2c0 [ 145.571712] bus_remove_driver+0xe2/0x2d0 [ 145.571772] pci_unregister_driver+0x21/0x250 [ 145.571826] __do_sys_delete_module+0x30a/0x4b0 [ 145.571879] ? free_module+0xac0/0xac0 [ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50 [ 145.572039] ? lockdep_hardirqs_on+0x79/0x100 [ 145.572097] do_syscall_64+0x3b/0x90 [ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
AI-Powered Analysis
Technical Analysis
CVE-2022-49130 is a vulnerability identified in the Linux kernel's ath11k wireless driver, specifically related to the MHI (Modem Host Interface) power-up sequence. The issue arises when the amss.bin firmware file is missing, causing the ath11k driver to crash during the removal of the ath11k_pci module (rmmod operation). The root cause is the use of an asynchronous power-up function (mhi_async_power_up()) that does not verify error conditions, leading to a null pointer dereference and a general protection fault in kernel space. The fix involves switching to a synchronous power-up function (mhi_sync_power_up()) that properly checks for errors, preventing the crash. The vulnerability manifests as a kernel crash (general protection fault) due to dereferencing a null pointer when the driver attempts to access hardware registers without the required firmware loaded. This can cause a denial of service (DoS) by crashing the kernel or causing instability. The vulnerability was observed on Intel NUC hardware running Linux kernel version 5.16.0-wt-ath+ with ath11k driver versions tied to specific git commit hashes. The vulnerability does not appear to require user interaction or authentication beyond the ability to remove the kernel module, which typically requires root privileges. No known exploits are reported in the wild, and no CVSS score has been assigned. The issue is technical and specific to the ath11k wireless driver handling Qualcomm WCN6855 hardware or similar chipsets using the MHI interface. The vulnerability is primarily a stability and availability concern due to kernel crashes triggered by missing firmware files during module removal.
Potential Impact
For European organizations, the impact of CVE-2022-49130 centers on system availability and stability, particularly for those using Linux systems with Qualcomm ath11k wireless chipsets (e.g., WCN6855) in their infrastructure or endpoint devices. A successful trigger of this vulnerability can cause kernel crashes leading to denial of service, potentially disrupting critical network connectivity and operations. This is especially relevant for organizations relying on Linux-based wireless networking in environments such as enterprise offices, data centers, or industrial control systems. While exploitation requires root privileges to remove the kernel module, the vulnerability could be leveraged by attackers who have already gained elevated access to cause system instability or to cover tracks by forcing reboots. The lack of user interaction requirement means automated scripts or malware with root access could trigger the crash. However, the absence of known exploits and the technical nature of the flaw limit its immediate threat level. Still, organizations with Linux systems running affected kernel versions and ath11k drivers should consider the risk of unexpected outages and potential operational disruption.
Mitigation Recommendations
1. Ensure Linux systems are updated to kernel versions where this vulnerability is patched, specifically where the ath11k driver uses mhi_sync_power_up() instead of the asynchronous variant. 2. Verify that the required firmware files (amss.bin) for Qualcomm ath11k wireless devices are correctly installed and accessible to prevent triggering the crash due to missing firmware. 3. Restrict root-level access to trusted administrators only, minimizing the risk of malicious module removal or manipulation. 4. Implement monitoring and alerting for kernel module removals and system crashes to detect potential exploitation attempts early. 5. For critical systems, consider isolating or limiting the use of affected wireless hardware until patches are applied. 6. Review and harden system configurations to prevent unauthorized module unloading or kernel manipulation. 7. Maintain an inventory of hardware and driver versions to quickly identify systems at risk and prioritize patching efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.267Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4fc2
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 3:11:16 AM
Last updated: 8/7/2025, 10:01:32 AM
Views: 16
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.