CVE-2022-49503
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to ensure that it is within the bitmap. drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept() error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'
Security Summary
CVE-2022-49503 is a vulnerability in the Linux kernel's ath9k_htc wireless driver, specifically in the ath9k_cmn_rx_accept() function located at drivers/net/wireless/ath/ath9k/common.c:46. The issue involves a potential out-of-bounds access when an invalid value in rxstatus->rs_keyix (or rx_stats->rs_keyix) is passed to test_bit() without ensuring it falls within the bitmap bounds. This flaw, classified under CWE-125 (Out-of-bounds Read), has a CVSS v3.1 base score of 7.1.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation leads to high confidentiality (C:H) and availability (A:H) impacts, with no integrity impact (I:N) and unchanged scope (S:U), potentially enabling information disclosure or denial of service through the out-of-bounds read.
Mitigation involves applying the relevant stable kernel patches referenced in the kernel git repository, including commits 0bcb528402cd5e1a6e1833e956fd58a12d509e8e, 2326d398ccd41ba6d93b8346532dfa432ab00fee, 2dc509305cf956381532792cb8dceef2b1504765, 3dad3fed5672828c7fb0465cb66a3d9a70952fa6, and 461e4c1f199076275f16bf6f3d3e42c6b6c79f33, which fix the bounds checking for rs_keyix before passing it to test_bit().
Details
- CWE(s)