CVE-2022-49523: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ath11k: disable spectral scan during spectral deinit When ath11k modules are removed using rmmod with spectral scan enabled, crash is observed. Different crash trace is observed for each crash. Send spectral scan disable WMI command to firmware before cleaning the spectral dbring in the spectral_deinit API to avoid this crash. call trace from one of the crash observed: [ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008 [ 1252.882722] pgd = 0f42e886 [ 1252.890955] [00000008] *pgd=00000000 [ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0 [ 1253.115261] Hardware name: Generic DT based system [ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k] [ 1253.125940] LR is at 0x88e31017 [ 1253.132448] pc : [<7f9387b8>] lr : [<88e31017>] psr: a0000193 [ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000 [ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080 [ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000 [ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001 [ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055 [ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141) [ 1253.458055] [<7f9387b8>] (ath11k_spectral_process_data [ath11k]) from [<7f917fdc>] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k]) [ 1253.466139] [<7f917fdc>] (ath11k_dbring_buffer_release_event [ath11k]) from [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k]) [ 1253.478807] [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx [ath11k]) from [<7f8fe868>] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k]) [ 1253.490699] [<7f8fe868>] (ath11k_htc_rx_completion_handler [ath11k]) from [<7f91308c>] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k]) [ 1253.502386] [<7f91308c>] (ath11k_ce_per_engine_service [ath11k]) from [<7f9a4198>] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci]) [ 1253.514811] [<7f9a4198>] (ath11k_pci_ce_tasklet [ath11k_pci]) from [<8032227c>] (tasklet_action_common.constprop.2+0x64/0xe8) [ 1253.526476] [<8032227c>] (tasklet_action_common.constprop.2) from [<803021e8>] (__do_softirq+0x130/0x2d0) [ 1253.537756] [<803021e8>] (__do_softirq) from [<80322610>] (irq_exit+0xcc/0xe8) [ 1253.547304] [<80322610>] (irq_exit) from [<8036a4a4>] (__handle_domain_irq+0x60/0xb4) [ 1253.554428] [<8036a4a4>] (__handle_domain_irq) from [<805eb348>] (gic_handle_irq+0x4c/0x90) [ 1253.562321] [<805eb348>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c) Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1
AI Analysis
Technical Summary
CVE-2022-49523 is a vulnerability identified in the Linux kernel's ath11k wireless driver module, specifically related to the handling of spectral scan functionality during module removal. The ath11k driver supports Qualcomm Atheros Wi-Fi 6 chipsets. The vulnerability manifests when the ath11k kernel module is removed (e.g., via the rmmod command) while spectral scan is enabled. Spectral scanning is a feature used for radio frequency analysis and interference detection. The issue arises because the driver does not properly disable spectral scanning before deinitializing spectral data structures, leading to a use-after-free or NULL pointer dereference in kernel space. This improper cleanup causes kernel crashes (kernel oops) with varying crash traces, as the driver attempts to access freed or invalid memory during spectral deinitialization. The provided kernel logs indicate a NULL pointer dereference at a low memory address (0x00000008) within the ath11k_spectral_process_data function, triggered during the spectral deinit sequence. The root cause is the failure to send a spectral scan disable WMI (Wireless Module Interface) command to the firmware before cleaning spectral data buffers, which leads to the driver processing stale or invalid data. This vulnerability affects Linux kernel versions containing the affected ath11k driver code, particularly those with the specified commit hash d5c65159f2895379e11ca13f62feabe93278985d. The issue was tested on Qualcomm QCN6122 hardware. While this vulnerability causes system instability and kernel crashes, there is no indication of privilege escalation or remote code execution. Exploitation requires local access to the system with the ability to unload kernel modules, which typically requires root privileges. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-49523 is potential denial of service (DoS) due to kernel crashes on systems using affected Linux kernels with ath11k wireless drivers. This can lead to system instability, unexpected reboots, or downtime, affecting availability of critical infrastructure, servers, or endpoints relying on Wi-Fi connectivity. Organizations deploying Linux-based systems with Qualcomm Atheros Wi-Fi 6 chipsets, especially in embedded devices, network appliances, or industrial control systems, may experience disruptions. Although the vulnerability requires local root access to trigger, an attacker who gains such access could cause repeated crashes, impacting system reliability. This could be leveraged as part of a broader attack to degrade service or disrupt operations. However, since no remote exploitation or privilege escalation is indicated, the confidentiality and integrity impact is limited. The vulnerability is more relevant for environments where wireless module management and kernel module unloading occur dynamically, such as development, testing, or specialized embedded systems. For typical enterprise Linux server deployments without ath11k hardware or module unloading, the risk is minimal.
Mitigation Recommendations
1. Apply the official Linux kernel patches that properly disable spectral scanning before spectral deinitialization in the ath11k driver. Monitor Linux kernel updates and backport fixes if using long-term support kernels. 2. Avoid unloading the ath11k kernel module while spectral scanning is enabled. Ensure spectral scan is explicitly disabled before module removal. 3. Restrict root access and module unloading capabilities to trusted administrators only, minimizing the risk of accidental or malicious triggering of the vulnerability. 4. For embedded or specialized devices using Qualcomm Atheros Wi-Fi 6 chipsets, validate firmware and driver versions to confirm the presence of the fix. 5. Implement monitoring for kernel oops or crashes related to ath11k spectral scanning to detect potential exploitation attempts or instability. 6. Where possible, disable spectral scanning if not required for operational purposes to reduce attack surface. 7. Test kernel updates in staging environments before deployment to avoid unexpected disruptions. 8. Maintain up-to-date backups and recovery procedures to mitigate impact of potential system crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49523: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ath11k: disable spectral scan during spectral deinit When ath11k modules are removed using rmmod with spectral scan enabled, crash is observed. Different crash trace is observed for each crash. Send spectral scan disable WMI command to firmware before cleaning the spectral dbring in the spectral_deinit API to avoid this crash. call trace from one of the crash observed: [ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008 [ 1252.882722] pgd = 0f42e886 [ 1252.890955] [00000008] *pgd=00000000 [ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0 [ 1253.115261] Hardware name: Generic DT based system [ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k] [ 1253.125940] LR is at 0x88e31017 [ 1253.132448] pc : [<7f9387b8>] lr : [<88e31017>] psr: a0000193 [ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000 [ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080 [ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000 [ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001 [ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055 [ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141) [ 1253.458055] [<7f9387b8>] (ath11k_spectral_process_data [ath11k]) from [<7f917fdc>] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k]) [ 1253.466139] [<7f917fdc>] (ath11k_dbring_buffer_release_event [ath11k]) from [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k]) [ 1253.478807] [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx [ath11k]) from [<7f8fe868>] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k]) [ 1253.490699] [<7f8fe868>] (ath11k_htc_rx_completion_handler [ath11k]) from [<7f91308c>] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k]) [ 1253.502386] [<7f91308c>] (ath11k_ce_per_engine_service [ath11k]) from [<7f9a4198>] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci]) [ 1253.514811] [<7f9a4198>] (ath11k_pci_ce_tasklet [ath11k_pci]) from [<8032227c>] (tasklet_action_common.constprop.2+0x64/0xe8) [ 1253.526476] [<8032227c>] (tasklet_action_common.constprop.2) from [<803021e8>] (__do_softirq+0x130/0x2d0) [ 1253.537756] [<803021e8>] (__do_softirq) from [<80322610>] (irq_exit+0xcc/0xe8) [ 1253.547304] [<80322610>] (irq_exit) from [<8036a4a4>] (__handle_domain_irq+0x60/0xb4) [ 1253.554428] [<8036a4a4>] (__handle_domain_irq) from [<805eb348>] (gic_handle_irq+0x4c/0x90) [ 1253.562321] [<805eb348>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c) Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1
AI-Powered Analysis
Technical Analysis
CVE-2022-49523 is a vulnerability identified in the Linux kernel's ath11k wireless driver module, specifically related to the handling of spectral scan functionality during module removal. The ath11k driver supports Qualcomm Atheros Wi-Fi 6 chipsets. The vulnerability manifests when the ath11k kernel module is removed (e.g., via the rmmod command) while spectral scan is enabled. Spectral scanning is a feature used for radio frequency analysis and interference detection. The issue arises because the driver does not properly disable spectral scanning before deinitializing spectral data structures, leading to a use-after-free or NULL pointer dereference in kernel space. This improper cleanup causes kernel crashes (kernel oops) with varying crash traces, as the driver attempts to access freed or invalid memory during spectral deinitialization. The provided kernel logs indicate a NULL pointer dereference at a low memory address (0x00000008) within the ath11k_spectral_process_data function, triggered during the spectral deinit sequence. The root cause is the failure to send a spectral scan disable WMI (Wireless Module Interface) command to the firmware before cleaning spectral data buffers, which leads to the driver processing stale or invalid data. This vulnerability affects Linux kernel versions containing the affected ath11k driver code, particularly those with the specified commit hash d5c65159f2895379e11ca13f62feabe93278985d. The issue was tested on Qualcomm QCN6122 hardware. While this vulnerability causes system instability and kernel crashes, there is no indication of privilege escalation or remote code execution. Exploitation requires local access to the system with the ability to unload kernel modules, which typically requires root privileges. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-49523 is potential denial of service (DoS) due to kernel crashes on systems using affected Linux kernels with ath11k wireless drivers. This can lead to system instability, unexpected reboots, or downtime, affecting availability of critical infrastructure, servers, or endpoints relying on Wi-Fi connectivity. Organizations deploying Linux-based systems with Qualcomm Atheros Wi-Fi 6 chipsets, especially in embedded devices, network appliances, or industrial control systems, may experience disruptions. Although the vulnerability requires local root access to trigger, an attacker who gains such access could cause repeated crashes, impacting system reliability. This could be leveraged as part of a broader attack to degrade service or disrupt operations. However, since no remote exploitation or privilege escalation is indicated, the confidentiality and integrity impact is limited. The vulnerability is more relevant for environments where wireless module management and kernel module unloading occur dynamically, such as development, testing, or specialized embedded systems. For typical enterprise Linux server deployments without ath11k hardware or module unloading, the risk is minimal.
Mitigation Recommendations
1. Apply the official Linux kernel patches that properly disable spectral scanning before spectral deinitialization in the ath11k driver. Monitor Linux kernel updates and backport fixes if using long-term support kernels. 2. Avoid unloading the ath11k kernel module while spectral scanning is enabled. Ensure spectral scan is explicitly disabled before module removal. 3. Restrict root access and module unloading capabilities to trusted administrators only, minimizing the risk of accidental or malicious triggering of the vulnerability. 4. For embedded or specialized devices using Qualcomm Atheros Wi-Fi 6 chipsets, validate firmware and driver versions to confirm the presence of the fix. 5. Implement monitoring for kernel oops or crashes related to ath11k spectral scanning to detect potential exploitation attempts or instability. 6. Where possible, disable spectral scanning if not required for operational purposes to reduce attack surface. 7. Test kernel updates in staging environments before deployment to avoid unexpected disruptions. 8. Maintain up-to-date backups and recovery procedures to mitigate impact of potential system crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.588Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4326
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:56:12 PM
Last updated: 8/9/2025, 6:46:15 AM
Views: 11
Related Threats
CVE-2025-5998: CWE-2280 Improper Handling of Insufficient Permissions or Privileges in PPWP – Password Protect Pages
UnknownCVE-2025-8952: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-8951: SQL Injection in PHPGurukul Teachers Record Management System
MediumCVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.