CVE-2022-49503
Published: 26 February 2025
Summary
CVE-2022-49503 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49503 is a vulnerability in the Linux kernel's ath9k_htc wireless driver, specifically in the ath9k_cmn_rx_accept() function located at drivers/net/wireless/ath/ath9k/common.c:46. The issue involves a potential out-of-bounds access when an invalid value in rxstatus->rs_keyix (or rx_stats->rs_keyix) is passed to test_bit() without ensuring it falls within the bitmap bounds. This flaw, classified under CWE-125 (Out-of-bounds Read), has a CVSS v3.1 base score of 7.1.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation leads to high confidentiality (C:H) and availability (A:H) impacts, with no integrity impact (I:N) and unchanged scope (S:U), potentially enabling information disclosure or denial of service through the out-of-bounds read.
Mitigation involves applying the relevant stable kernel patches referenced in the kernel git repository, including commits 0bcb528402cd5e1a6e1833e956fd58a12d509e8e, 2326d398ccd41ba6d93b8346532dfa432ab00fee, 2dc509305cf956381532792cb8dceef2b1504765, 3dad3fed5672828c7fb0465cb66a3d9a70952fa6, and 461e4c1f199076275f16bf6f3d3e42c6b6c79f33, which fix the bounds checking for rs_keyix before passing it to test_bit().
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54726
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to ensure that it is within the bitmap. drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()…
more
error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel OOB read in wireless driver enables local exploitation for privilege escalation via info leak or DoS from low-priv context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of identified flaws, directly addressing the out-of-bounds read vulnerability in the ath9k_htc driver by applying the specified kernel patches.
Requires validation of information inputs like rxstatus->rs_keyix to ensure they are within bounds before passing to functions such as test_bit(), preventing the core exploitation vector.
Implements memory protections such as address space layout randomization and supervisor mode execution protection to limit the impact of out-of-bounds reads on confidentiality and availability.