CVE-2022-49519: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ath10k: skip ath10k_halt during suspend for driver state RESTARTING Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash. To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING. The frozen restart worker thread will be cancelled during resume when the device comes out of suspend. Below is the crash stack for reference: [ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
AI Analysis
Technical Summary
CVE-2022-49519 is a vulnerability in the Linux kernel's ath10k wireless driver, specifically affecting the handling of firmware (FW) recovery and suspend events. The issue arises when a firmware recovery, triggered by a WMI timeout or crash, occurs concurrently with an immediate suspend event. During FW recovery, the ath10k_core_restart() function initiates driver cleanup via ath10k_halt(). If a suspend event happens during this recovery, the restart worker thread is frozen until suspend completes. The suspend event triggers ath10k_stop(), which again calls ath10k_halt(). This double invocation of ath10k_halt() leads to ath10k_htt_rx_free() being called twice without a corresponding allocation, causing a double free condition and subsequent kernel crash. The crash manifests as a kernel BUG in the memory allocator (slub.c), resulting in invalid opcode exceptions and system instability. The fix implemented skips the call to ath10k_halt() during suspend if the driver state is ATH10K_STATE_RESTARTING and ensures proper synchronization by calling ath10k_wait_for_suspend() to wait for suspend completion. The frozen restart worker thread is cancelled during resume to prevent lingering issues. This vulnerability specifically affects devices using the Qualcomm Atheros QCA6174 wireless chipset and similar hardware running affected Linux kernel versions. The root cause is a race condition between firmware recovery and suspend operations leading to double free memory corruption and kernel panic.
Potential Impact
For European organizations, this vulnerability poses a risk of denial of service (DoS) on systems running affected Linux kernels with ath10k wireless drivers, particularly those using Qualcomm Atheros QCA6174 or related chipsets. The kernel crash can cause system instability, unexpected reboots, or complete loss of wireless connectivity. This can disrupt critical network services, especially in environments relying on Linux-based infrastructure such as servers, embedded devices, IoT gateways, and network appliances. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be exploited to cause persistent DoS conditions. Organizations with wireless infrastructure or devices using affected drivers may face operational disruptions, impacting availability and potentially leading to downtime in business-critical applications. The risk is heightened in environments where suspend/resume cycles are frequent, such as laptops, mobile devices, or energy-saving server configurations. Although no known exploits are reported in the wild, the vulnerability's nature as a kernel-level double free crash makes it a significant stability concern.
Mitigation Recommendations
1. Update Linux kernels to versions where this vulnerability is patched. Apply vendor-supplied kernel updates or mainline Linux kernel patches that include the fix for CVE-2022-49519. 2. For systems where immediate patching is not feasible, consider disabling suspend/resume functionality or avoid triggering suspend events during firmware recovery periods to reduce the race condition window. 3. Monitor system logs for kernel BUG messages or crashes related to ath10k to detect potential exploitation or instability. 4. In embedded or custom Linux environments, review and backport the patch that skips ath10k_halt() during suspend when the driver state is ATH10K_STATE_RESTARTING and ensures proper synchronization with ath10k_wait_for_suspend(). 5. Test wireless driver stability after patching in controlled environments before wide deployment to ensure no regressions. 6. Employ robust system monitoring and automated reboot mechanisms to recover from unexpected kernel crashes if they occur before patching. 7. Engage with hardware vendors to confirm affected device models and firmware versions, ensuring comprehensive coverage of the fix.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49519: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ath10k: skip ath10k_halt during suspend for driver state RESTARTING Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash. To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING. The frozen restart worker thread will be cancelled during resume when the device comes out of suspend. Below is the crash stack for reference: [ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
AI-Powered Analysis
Technical Analysis
CVE-2022-49519 is a vulnerability in the Linux kernel's ath10k wireless driver, specifically affecting the handling of firmware (FW) recovery and suspend events. The issue arises when a firmware recovery, triggered by a WMI timeout or crash, occurs concurrently with an immediate suspend event. During FW recovery, the ath10k_core_restart() function initiates driver cleanup via ath10k_halt(). If a suspend event happens during this recovery, the restart worker thread is frozen until suspend completes. The suspend event triggers ath10k_stop(), which again calls ath10k_halt(). This double invocation of ath10k_halt() leads to ath10k_htt_rx_free() being called twice without a corresponding allocation, causing a double free condition and subsequent kernel crash. The crash manifests as a kernel BUG in the memory allocator (slub.c), resulting in invalid opcode exceptions and system instability. The fix implemented skips the call to ath10k_halt() during suspend if the driver state is ATH10K_STATE_RESTARTING and ensures proper synchronization by calling ath10k_wait_for_suspend() to wait for suspend completion. The frozen restart worker thread is cancelled during resume to prevent lingering issues. This vulnerability specifically affects devices using the Qualcomm Atheros QCA6174 wireless chipset and similar hardware running affected Linux kernel versions. The root cause is a race condition between firmware recovery and suspend operations leading to double free memory corruption and kernel panic.
Potential Impact
For European organizations, this vulnerability poses a risk of denial of service (DoS) on systems running affected Linux kernels with ath10k wireless drivers, particularly those using Qualcomm Atheros QCA6174 or related chipsets. The kernel crash can cause system instability, unexpected reboots, or complete loss of wireless connectivity. This can disrupt critical network services, especially in environments relying on Linux-based infrastructure such as servers, embedded devices, IoT gateways, and network appliances. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be exploited to cause persistent DoS conditions. Organizations with wireless infrastructure or devices using affected drivers may face operational disruptions, impacting availability and potentially leading to downtime in business-critical applications. The risk is heightened in environments where suspend/resume cycles are frequent, such as laptops, mobile devices, or energy-saving server configurations. Although no known exploits are reported in the wild, the vulnerability's nature as a kernel-level double free crash makes it a significant stability concern.
Mitigation Recommendations
1. Update Linux kernels to versions where this vulnerability is patched. Apply vendor-supplied kernel updates or mainline Linux kernel patches that include the fix for CVE-2022-49519. 2. For systems where immediate patching is not feasible, consider disabling suspend/resume functionality or avoid triggering suspend events during firmware recovery periods to reduce the race condition window. 3. Monitor system logs for kernel BUG messages or crashes related to ath10k to detect potential exploitation or instability. 4. In embedded or custom Linux environments, review and backport the patch that skips ath10k_halt() during suspend when the driver state is ATH10K_STATE_RESTARTING and ensures proper synchronization with ath10k_wait_for_suspend(). 5. Test wireless driver stability after patching in controlled environments before wide deployment to ensure no regressions. 6. Employ robust system monitoring and automated reboot mechanisms to recover from unexpected kernel crashes if they occur before patching. 7. Engage with hardware vendors to confirm affected device models and firmware versions, ensuring comprehensive coverage of the fix.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.588Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5cbe
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 5:28:51 PM
Last updated: 7/30/2025, 2:39:33 AM
Views: 10
Related Threats
CVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighCVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.