CVE-2022-49238: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later. Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855. log of user-after-free: [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] <IRQ> [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] </IRQ> [ 534.889254] <TASK> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+ ---truncated---
AI Analysis
Technical Summary
CVE-2022-49238 is a high-severity use-after-free vulnerability in the Linux kernel's ath11k wireless driver, specifically affecting Qualcomm QCA6390 and WCN6855 chipsets. The issue arises from improper handling of peer deletion during station disconnection from an access point. A commit intended to fix a firmware crash by changing the Wireless Module Interface (WMI) command sequence inadvertently skipped the peer delete operation. This omission caused a dangling pointer condition where the peer->sta pointer was not set to NULL after deletion, leading to a use-after-free scenario detected by the Kernel Address Sanitizer (KASAN). The vulnerability manifests as a kernel crash or memory corruption when the driver attempts to access freed memory during peer statistics updates. The problem is rooted in the sequence of WMI commands and the timing of peer deletion relative to virtual device (vdev) stop operations. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to full confidentiality, integrity, and availability compromise of the affected system. The vulnerability affects Linux kernel versions containing the specified commit hashes and is particularly relevant for systems using the affected Qualcomm wireless chipsets. No known exploits are currently reported in the wild, but the impact could be significant if exploited.
Potential Impact
For European organizations, this vulnerability poses a substantial risk to any infrastructure relying on Linux systems equipped with Qualcomm QCA6390 or WCN6855 wireless chipsets. Such systems are common in enterprise laptops, embedded devices, and network equipment. Exploitation could allow attackers with local access to cause kernel crashes, leading to denial of service, or potentially execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This could disrupt critical business operations, especially in sectors relying on wireless connectivity for remote work, IoT deployments, or industrial control systems. The vulnerability's ability to affect confidentiality, integrity, and availability makes it a critical concern for data protection and operational continuity under GDPR and other regulatory frameworks. Additionally, the complexity of exploitation is low for local attackers, increasing the risk in environments where physical or local network access is possible. The lack of user interaction requirement further elevates the threat level.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2022-49238, ensuring the commit that correctly handles peer deletion is applied. Where immediate patching is not feasible, organizations should restrict local access to affected systems, enforce strict access controls, and monitor for unusual kernel crashes or wireless driver errors indicative of exploitation attempts. Network segmentation can limit exposure of vulnerable devices. Additionally, auditing and inventorying hardware to identify devices with Qualcomm QCA6390 or WCN6855 chipsets will help prioritize remediation efforts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of similar issues. Vendors and system integrators should be engaged to confirm firmware and driver updates are applied. Finally, organizations should maintain robust incident response plans to quickly address potential exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49238: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later. Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855. log of user-after-free: [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] <IRQ> [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] </IRQ> [ 534.889254] <TASK> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49238 is a high-severity use-after-free vulnerability in the Linux kernel's ath11k wireless driver, specifically affecting Qualcomm QCA6390 and WCN6855 chipsets. The issue arises from improper handling of peer deletion during station disconnection from an access point. A commit intended to fix a firmware crash by changing the Wireless Module Interface (WMI) command sequence inadvertently skipped the peer delete operation. This omission caused a dangling pointer condition where the peer->sta pointer was not set to NULL after deletion, leading to a use-after-free scenario detected by the Kernel Address Sanitizer (KASAN). The vulnerability manifests as a kernel crash or memory corruption when the driver attempts to access freed memory during peer statistics updates. The problem is rooted in the sequence of WMI commands and the timing of peer deletion relative to virtual device (vdev) stop operations. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to full confidentiality, integrity, and availability compromise of the affected system. The vulnerability affects Linux kernel versions containing the specified commit hashes and is particularly relevant for systems using the affected Qualcomm wireless chipsets. No known exploits are currently reported in the wild, but the impact could be significant if exploited.
Potential Impact
For European organizations, this vulnerability poses a substantial risk to any infrastructure relying on Linux systems equipped with Qualcomm QCA6390 or WCN6855 wireless chipsets. Such systems are common in enterprise laptops, embedded devices, and network equipment. Exploitation could allow attackers with local access to cause kernel crashes, leading to denial of service, or potentially execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This could disrupt critical business operations, especially in sectors relying on wireless connectivity for remote work, IoT deployments, or industrial control systems. The vulnerability's ability to affect confidentiality, integrity, and availability makes it a critical concern for data protection and operational continuity under GDPR and other regulatory frameworks. Additionally, the complexity of exploitation is low for local attackers, increasing the risk in environments where physical or local network access is possible. The lack of user interaction requirement further elevates the threat level.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2022-49238, ensuring the commit that correctly handles peer deletion is applied. Where immediate patching is not feasible, organizations should restrict local access to affected systems, enforce strict access controls, and monitor for unusual kernel crashes or wireless driver errors indicative of exploitation attempts. Network segmentation can limit exposure of vulnerable devices. Additionally, auditing and inventorying hardware to identify devices with Qualcomm QCA6390 or WCN6855 chipsets will help prioritize remediation efforts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of similar issues. Vendors and system integrators should be engaged to confirm firmware and driver updates are applied. Finally, organizations should maintain robust incident response plans to quickly address potential exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.294Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe53aa
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:40:11 AM
Last updated: 8/4/2025, 2:09:32 AM
Views: 12
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.