CVE-2022-49238

High

Published: 26 February 2025

Published

26 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 24.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49238 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, testing, and remediation of the use-after-free flaw in the ath11k driver via kernel patches, directly eliminating the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Mandates vulnerability scanning of kernel and driver components to identify CVE-2022-49238 and trigger patching before local exploitation.

SI-16 Memory Protection partial match

prevent

Deploys memory protection techniques like KASAN or exploit mitigations to detect or block unauthorized access to the dangling peer structure in ath11k.

NVD Description

In the Linux kernel, the following vulnerability has been resolved: ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware…

crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later. Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855. log of user-after-free: [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] <IRQ> [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] </IRQ> [ 534.889254] <TASK> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+ ---truncated---

Deeper analysisAI

CVE-2022-49238 is a use-after-free vulnerability in the Linux kernel's ath11k Wi-Fi driver, specifically affecting QCA6390 and WCN6855 hardware platforms. The issue stems from a prior commit (b4a0f54156ac) that altered the WMI command sequence during station disconnection from an access point to prevent firmware crashes, but inadvertently skipped the full peer deletion process. This left the peer->sta pointer dangling, as a subsequent commit intended to handle peer delete failures (58595c9874c6) did not take effect. KASAN detected the use-after-free in ath11k_dp_rx_update_peer_stats during monitor ring processing, with a reported instance in kernel 5.15.0-wt-ath+.

A local attacker with low privileges can exploit this vulnerability by triggering a station disconnection from an AP while monitor mode processing continues, leading to access of the freed peer structure. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system crashes on affected systems with compatible ath11k hardware.

Kernel patches address the issue by modifying the logic to skip only the WMI_PEER_DELETE_CMDID for QCA6390 and WCN6855 while ensuring proper peer freeing. Relevant stable commits include 212ad7cb7d7592669c067125949e0a8e31ce6a0b and 400705c50bbf184794c885d1efad7fe9ccf1471a, available via git.kernel.org. Security practitioners should update to kernels incorporating these fixes and verify ath11k driver versions on systems using QCA6390 or WCN6855 chipsets.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

5.17 — 5.17.2

CVEs Like This One

CVE-2024-57795Same product: Linux Linux Kernel

CVE-2026-31665Same product: Linux Linux Kernel

CVE-2026-23221Same product: Linux Linux Kernel

CVE-2025-21763Same product: Linux Linux Kernel

CVE-2025-21631Same product: Linux Linux Kernel

CVE-2025-21855Same product: Linux Linux Kernel

CVE-2026-23158Same product: Linux Linux Kernel

CVE-2026-22995Same product: Linux Linux Kernel

CVE-2026-31695Same product: Linux Linux Kernel

CVE-2026-31650Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/212ad7cb7d7592669c067125949e0a8e31ce6a0b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/400705c50bbf184794c885d1efad7fe9ccf1471a
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67