Cyber Resilience

CVE-2022-49519

High

Published: 26 February 2025

Published
26 February 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49519 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2022-49519 is a double free vulnerability in the ath10k Wi-Fi driver within the Linux kernel. The issue arises when firmware recovery, triggered by a WMI timeout or crash via ath10k_core_restart(), is immediately followed by a suspend event. This sequence causes ath10k_halt() to be invoked twice: once during recovery cleanup and again in ath10k_stop() during suspend. The restart worker thread freezes during suspend, preventing ath10k_htt_rx_alloc() from executing, which leads to ath10k_htt_rx_free() being called on unallocated memory, resulting in a kernel crash. The vulnerability is classified under CWE-415 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering firmware recovery on an ath10k-supported device, such as those using QCA6174 hardware, followed by initiating a system suspend. This requires physical or local access but low complexity and no user interaction. Successful exploitation causes a kernel panic due to the double free, as evidenced by the provided crash stack originating from kfree() in ath10k_core_stop() during suspend. While primarily manifesting as a denial of service via system crash, the double free nature could potentially enable further impact like memory corruption or code execution, aligning with the high confidentiality, integrity, and availability impacts in the CVSS score.

Kernel stable patches address the issue across multiple commits, including those at https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5 and others listed in references. The fixes skip ath10k_halt() during suspend when the driver state is ATH10K_STATE_RESTARTING and add ath10k_wait_for_suspend() calls in ath10k_stop() for that state. The frozen restart worker is canceled on resume. Security practitioners should apply these upstream patches to affected Linux kernel versions supporting ath10k hardware and test suspend/resume flows post-update, particularly on devices like QCA6174 hw3.2.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ath10k: skip ath10k_halt during suspend for driver state RESTARTING Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is…

more

triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash. To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING. The frozen restart worker thread will be cancelled during resume when the device comes out of suspend. Below is the crash stack for reference: [ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Double-free in kernel driver enables local exploitation for privilege escalation (potential code exec via memory corruption) or endpoint DoS (kernel panic on suspend).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23449Same product: Linux Linux Kernel
CVE-2026-31506Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2022-49391Same product: Linux Linux Kernel
CVE-2022-49290Same product: Linux Linux Kernel
CVE-2026-23162Same product: Linux Linux Kernel
CVE-2026-23068Same product: Linux Linux Kernel
CVE-2022-49384Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.11 — 5.10.121 · 5.11 — 5.15.46 · 5.16 — 5.17.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through kernel patches directly prevents the double free in ath10k_halt() triggered by concurrent firmware recovery and suspend events.

prevent

Robust error handling in driver state transitions mitigates race conditions that lead to double invocation of ath10k_halt() during RESTARTING state and suspend.

detect

Kernel memory protections like SLUB allocator debugging detect invalid double frees in ath10k_htt_rx_free(), triggering a kernel BUG as seen in the crash stack.

References