Components
Vulnerabilities
Pricing
MCP
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
Ecosystem
Package
Version
Vulnerabilities
CVE-2022-50716
CVE-2022-50716
In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out.
Components Impacted
Components Impacted
Security Details
Security Details
Sonatype Research
Sonatype Research
Published Dec 26, 2025
https://lore.kernel.org/linux-cve-announce/2025122415-CVE-2022-50716-88e6@gregkh/
CVSS Score
High
8.5
Ecosystem
Package
Version
Ecosystem
Package
Version
rpm
kernel
2.6.32-131.0.15.el6
rpm
kernel
2.6.32-131.12.1.el6
rpm
kernel
2.6.32-131.17.1.el6
rpm
kernel
2.6.32-131.2.1.el6
rpm
kernel
2.6.32-131.21.1.el6
rpm
kernel
2.6.32-131.4.1.el6
rpm
kernel
2.6.32-131.6.1.el6
rpm
kernel
2.6.32-220.13.1.el6
rpm
kernel
2.6.32-220.17.1.el6
rpm
kernel
2.6.32-220.2.1.el6
rpm
kernel
2.6.32-220.23.1.el6
rpm
kernel
2.6.32-220.4.1.el6
rpm
kernel
2.6.32-220.4.2.el6
rpm
kernel
2.6.32-220.7.1.el6
rpm
kernel
2.6.32-220.el6
rpm
kernel
2.6.32-279.1.1.el6
rpm
kernel
2.6.32-279.11.1.el6
rpm
kernel
2.6.32-279.14.1.el6
rpm
kernel
2.6.32-279.19.1.el6
rpm
kernel
2.6.32-279.2.1.el6
rpm
kernel
2.6.32-279.22.1.el6
rpm
kernel
2.6.32-279.5.1.el6
rpm
kernel
2.6.32-279.5.2.el6
rpm
kernel
2.6.32-279.9.1.el6
rpm
kernel
2.6.32-279.el6
rpm
kernel
2.6.32-358.0.1.el6
rpm
kernel
2.6.32-358.11.1.el6
rpm
kernel
2.6.32-358.14.1.el6
rpm
kernel
2.6.32-358.18.1.el6
rpm
kernel
2.6.32-358.2.1.el6
rpm
kernel
2.6.32-358.23.2.el6
rpm
kernel
2.6.32-358.6.1.el6
rpm
kernel
2.6.32-358.6.2.el6
rpm
kernel
2.6.32-358.el6
rpm
kernel
2.6.32-431.1.2.el6
rpm
kernel
2.6.32-431.11.2.el6
rpm
kernel
2.6.32-431.17.1.el6
rpm
kernel
2.6.32-431.20.3.el6
rpm
kernel
2.6.32-431.20.5.el6
rpm
kernel
2.6.32-431.23.3.el6
rpm
kernel
2.6.32-431.29.2.el6
rpm
kernel
2.6.32-431.3.1.el6
rpm
kernel
2.6.32-431.5.1.el6
rpm
kernel
2.6.32-431.el6
rpm
kernel
2.6.32-504.1.3.el6
rpm
kernel
2.6.32-504.12.2.el6
rpm
kernel
2.6.32-504.16.2.el6
rpm
kernel
2.6.32-504.23.4.el6
rpm
kernel
2.6.32-504.3.3.el6
rpm
kernel
2.6.32-504.30.3.el6
1-50 of 686
CVE-2022-50716 | Components Impacted | Sonatype Guide | Sonatype Guide
