{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50186", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-06-18T10:57:27.427Z", "datePublished": "2025-06-18T11:03:33.552Z", "dateUpdated": "2026-05-11T19:14:27.436Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:14:27.436Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix missing skb drop on htc_tx_completion error\n\nOn htc_tx_completion error the skb is not dropped. This is wrong since\nthe completion_handler logic expect the skb to be consumed anyway even\nwhen an error is triggered. Not freeing the skb on error is a memory\nleak since the skb won't be freed anywere else. Correctly free the\npacket on eid >= ATH11K_HTC_EP_COUNT before returning.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/htc.c"], "versions": [{"version": "f951380a6022440335f668f85296096ba13071ba", "lessThan": "dda25326839d6e6b1fe59e79616149e44ea4eaa4", "status": "affected", "versionType": "git"}, {"version": "f951380a6022440335f668f85296096ba13071ba", "lessThan": "1f1483361585ae7556492f50f83f038bbdf8c294", "status": "affected", "versionType": "git"}, {"version": "f951380a6022440335f668f85296096ba13071ba", "lessThan": "e5646fe3b7ef739c392e59da7db6adf5e1fdef42", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/htc.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.18", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.2", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.19.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/dda25326839d6e6b1fe59e79616149e44ea4eaa4"}, {"url": "https://git.kernel.org/stable/c/1f1483361585ae7556492f50f83f038bbdf8c294"}, {"url": "https://git.kernel.org/stable/c/e5646fe3b7ef739c392e59da7db6adf5e1fdef42"}], "title": "ath11k: fix missing skb drop on htc_tx_completion error", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B831238-84A7-4D00-BF02-02E058AD3C34", "versionEndExcluding": "5.18.18", "versionStartIncluding": "5.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1A2A5A5-4598-4D7E-BA07-4660398D6C8F", "versionEndExcluding": "5.19.2", "versionStartIncluding": "5.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix missing skb drop on htc_tx_completion error\n\nOn htc_tx_completion error the skb is not dropped. This is wrong since\nthe completion_handler logic expect the skb to be consumed anyway even\nwhen an error is triggered. Not freeing the skb on error is a memory\nleak since the skb won't be freed anywere else. Correctly free the\npacket on eid >= ATH11K_HTC_EP_COUNT before returning.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ath11k: se corrige la falta de eliminaci\u00f3n de skb en el error htc_tx_completion. En el error htc_tx_completion, el skb no se elimina. Esto es incorrecto, ya que la l\u00f3gica de completion_handler espera que el skb se consuma de todas formas, incluso cuando se produce un error. No liberar el skb en caso de error supone una fuga de memoria, ya que no se liberar\u00e1 en ning\u00fan otro lugar. Libere correctamente el paquete en eid >= ATH11K_HTC_EP_COUNT antes de regresar. Probado en: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1"}], "id": "CVE-2022-50186", "lastModified": "2025-11-19T12:51:01.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T11:15:49.147", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f1483361585ae7556492f50f83f038bbdf8c294"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dda25326839d6e6b1fe59e79616149e44ea4eaa4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e5646fe3b7ef739c392e59da7db6adf5e1fdef42"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ath11k: fix missing skb drop on htc_tx_completion error", "id": "2373474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373474"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nath11k: fix missing skb drop on htc_tx_completion error\nOn htc_tx_completion error the skb is not dropped. This is wrong since\nthe completion_handler logic expect the skb to be consumed anyway even\nwhen an error is triggered. Not freeing the skb on error is a memory\nleak since the skb won't be freed anywere else. Correctly free the\npacket on eid >= ATH11K_HTC_EP_COUNT before returning.\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1"], "name": "CVE-2022-50186", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50186\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50186\nhttps://lore.kernel.org/linux-cve-announce/2025061834-CVE-2022-50186-1ecc@gregkh/T"], "statement": "This patch fixes a memory leak in the ath11k HTC TX completion handler, where SKBs were not freed on certain error paths (eid out of range).\nThe fix ensures proper resource cleanup by calling dev_kfree_skb_any() for invalid endpoints, preventing gradual memory exhaustion and potential system instability.", "threat_severity": "Moderate"}

{"created": "2025-06-23T08:45:29.722238+00:00", "updated": "2025-06-23T08:45:29.722288+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}