{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50258","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-15T13:58:00.974Z","datePublished":"2025-09-15T14:02:43.992Z","dateUpdated":"2026-05-11T19:15:50.478Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:15:50.478Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()\n\nThis patch fixes a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware\nversion string by memcpy() in brcmf_fil_iovar_data_get().\nThe patch ensures buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[   47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3\n[   47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[   47.601565][ T1897] ==================================================================\n[   47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0\n[   47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897\n[   47.604336][ T1897]\n[   47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #131\n[   47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   47.606907][ T1897] Workqueue: usb_hub_wq hub_event\n[   47.607453][ T1897] Call Trace:\n[   47.607801][ T1897]  dump_stack_lvl+0x8e/0xd1\n[   47.608295][ T1897]  print_address_description.constprop.0.cold+0xf/0x334\n[   47.609009][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609434][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.609863][ T1897]  kasan_report.cold+0x83/0xdf\n[   47.610366][ T1897]  ? strsep+0x1b2/0x1f0\n[   47.610882][ T1897]  strsep+0x1b2/0x1f0\n[   47.611300][ T1897]  ? brcmf_fil_iovar_data_get+0x3a/0xf0\n[   47.611883][ T1897]  brcmf_c_preinit_dcmds+0x995/0xc40\n[   47.612434][ T1897]  ? brcmf_c_set_joinpref_default+0x100/0x100\n[   47.613078][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   47.613662][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   47.614208][ T1897]  ? lock_acquire+0x19d/0x4e0\n[   47.614704][ T1897]  ? find_held_lock+0x2d/0x110\n[   47.615236][ T1897]  ? brcmf_usb_deq+0x1a7/0x260\n[   47.615741][ T1897]  ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[   47.616288][ T1897]  brcmf_attach+0x246/0xd40\n[   47.616758][ T1897]  ? wiphy_new_nm+0x1703/0x1dd0\n[   47.617280][ T1897]  ? kmemdup+0x43/0x50\n[   47.617720][ T1897]  brcmf_usb_probe+0x12de/0x1690\n[   47.618244][ T1897]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[   47.618901][ T1897]  usb_probe_interface+0x2aa/0x760\n[   47.619429][ T1897]  ? usb_probe_device+0x250/0x250\n[   47.619950][ T1897]  really_probe+0x205/0xb70\n[   47.620435][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.621048][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.621595][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.622209][ T1897]  driver_probe_device+0x4e/0x150\n[   47.622739][ T1897]  __device_attach_driver+0x1cc/0x2a0\n[   47.623287][ T1897]  bus_for_each_drv+0x156/0x1d0\n[   47.623796][ T1897]  ? bus_rescan_devices+0x30/0x30\n[   47.624309][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   47.624907][ T1897]  ? trace_hardirqs_on+0x46/0x160\n[   47.625437][ T1897]  __device_attach+0x23f/0x3a0\n[   47.625924][ T1897]  ? device_bind_driver+0xd0/0xd0\n[   47.626433][ T1897]  ? kobject_uevent_env+0x287/0x14b0\n[   47.627057][ T1897]  bus_probe_device+0x1da/0x290\n[   47.627557][ T1897]  device_add+0xb7b/0x1eb0\n[   47.628027][ T1897]  ? wait_for_completion+0x290/0x290\n[   47.628593][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0\n[   47.629249][ T1897]  usb_set_configuration+0xf59/0x16f0\n[   47.629829][ T1897]  usb_generic_driver_probe+0x82/0xa0\n[   47.630385][ T1897]  usb_probe_device+0xbb/0x250\n[   47.630927][ T1897]  ? usb_suspend+0x590/0x590\n[   47.631397][ T1897]  really_probe+0x205/0xb70\n[   47.631855][ T1897]  ? driver_allows_async_probing+0x130/0x130\n[   47.632469][ T1897]  __driver_probe_device+0x311/0x4b0\n[   47.633002][ \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"],"versions":[{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"89243a7b0ea19606ba1c2873c9d569026ccb344f","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"d481fd6064bf215d7c5068e15aa390c3b16c9cd0","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"17dbe90e13f52848c460d253f15b765038ec6dc0","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"d6ef66194bb4a6c18f5b9649bf62597909b040e4","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"3a3a5e3f94068cd562d62a57da6983c8cd07d53c","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"881f50d76c3892262730ddf5c894eb00310e736c","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7","status":"affected","versionType":"git"},{"version":"0af29bf7c1ddf5f3c35577409de46ede5e8d7845","lessThan":"0a06cadcc2a0044e4a117cc0e61436fc3a0dad69","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"],"versions":[{"version":"3.8","status":"affected"},{"version":"0","lessThan":"3.8","status":"unaffected","versionType":"semver"},{"version":"4.14.308","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.276","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.235","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.173","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.99","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.16","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.3","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"4.14.308"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"4.19.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.4.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.10.173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"5.15.99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.1.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.2.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8","versionEndExcluding":"6.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f"},{"url":"https://git.kernel.org/stable/c/d481fd6064bf215d7c5068e15aa390c3b16c9cd0"},{"url":"https://git.kernel.org/stable/c/17dbe90e13f52848c460d253f15b765038ec6dc0"},{"url":"https://git.kernel.org/stable/c/d6ef66194bb4a6c18f5b9649bf62597909b040e4"},{"url":"https://git.kernel.org/stable/c/3a3a5e3f94068cd562d62a57da6983c8cd07d53c"},{"url":"https://git.kernel.org/stable/c/881f50d76c3892262730ddf5c894eb00310e736c"},{"url":"https://git.kernel.org/stable/c/ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7"},{"url":"https://git.kernel.org/stable/c/0a06cadcc2a0044e4a117cc0e61436fc3a0dad69"}],"title":"wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()","x_generator":{"engine":"bippy-1.2.0"}}}}