{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50408","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-17T14:53:07.001Z","datePublished":"2025-09-18T16:03:53.197Z","dateUpdated":"2026-05-11T19:18:54.979Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:18:54.979Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()\n\n> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);\n\nmay be schedule, and then complete before the line\n\n> ndev->stats.tx_bytes += skb->len;\n\n[   46.912801] ==================================================================\n[   46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[   46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328\n[   46.935991]\n[   46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G           O      5.4.199-[REDACTED] #1\n[   46.947255] Hardware name: [REDACTED]\n[   46.954568] Call trace:\n[   46.957037]  dump_backtrace+0x0/0x2b8\n[   46.960719]  show_stack+0x24/0x30\n[   46.964052]  dump_stack+0x128/0x194\n[   46.967557]  print_address_description.isra.0+0x64/0x380\n[   46.972877]  __kasan_report+0x1d4/0x240\n[   46.976723]  kasan_report+0xc/0x18\n[   46.980138]  __asan_report_load4_noabort+0x18/0x20\n[   46.985027]  brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[   46.990613]  dev_hard_start_xmit+0x1bc/0xda0\n[   46.994894]  sch_direct_xmit+0x198/0xd08\n[   46.998827]  __qdisc_run+0x37c/0x1dc0\n[   47.002500]  __dev_queue_xmit+0x1528/0x21f8\n[   47.006692]  dev_queue_xmit+0x24/0x30\n[   47.010366]  neigh_resolve_output+0x37c/0x678\n[   47.014734]  ip_finish_output2+0x598/0x2458\n[   47.018927]  __ip_finish_output+0x300/0x730\n[   47.023118]  ip_output+0x2e0/0x430\n[   47.026530]  ip_local_out+0x90/0x140\n[   47.030117]  igmpv3_sendpack+0x14c/0x228\n[   47.034049]  igmpv3_send_cr+0x384/0x6b8\n[   47.037895]  igmp_ifc_timer_expire+0x4c/0x118\n[   47.042262]  call_timer_fn+0x1cc/0xbe8\n[   47.046021]  __run_timers+0x4d8/0xb28\n[   47.049693]  run_timer_softirq+0x24/0x40\n[   47.053626]  __do_softirq+0x2c0/0x117c\n[   47.057387]  irq_exit+0x2dc/0x388\n[   47.060715]  __handle_domain_irq+0xb4/0x158\n[   47.064908]  gic_handle_irq+0x58/0xb0\n[   47.068581]  el0_irq_naked+0x50/0x5c\n[   47.072162]\n[   47.073665] Allocated by task 328:\n[   47.077083]  save_stack+0x24/0xb0\n[   47.080410]  __kasan_kmalloc.isra.0+0xc0/0xe0\n[   47.084776]  kasan_slab_alloc+0x14/0x20\n[   47.088622]  kmem_cache_alloc+0x15c/0x468\n[   47.092643]  __alloc_skb+0xa4/0x498\n[   47.096142]  igmpv3_newpack+0x158/0xd78\n[   47.099987]  add_grhead+0x210/0x288\n[   47.103485]  add_grec+0x6b0/0xb70\n[   47.106811]  igmpv3_send_cr+0x2e0/0x6b8\n[   47.110657]  igmp_ifc_timer_expire+0x4c/0x118\n[   47.115027]  call_timer_fn+0x1cc/0xbe8\n[   47.118785]  __run_timers+0x4d8/0xb28\n[   47.122457]  run_timer_softirq+0x24/0x40\n[   47.126389]  __do_softirq+0x2c0/0x117c\n[   47.130142]\n[   47.131643] Freed by task 180:\n[   47.134712]  save_stack+0x24/0xb0\n[   47.138041]  __kasan_slab_free+0x108/0x180\n[   47.142146]  kasan_slab_free+0x10/0x18\n[   47.145904]  slab_free_freelist_hook+0xa4/0x1b0\n[   47.150444]  kmem_cache_free+0x8c/0x528\n[   47.154292]  kfree_skbmem+0x94/0x108\n[   47.157880]  consume_skb+0x10c/0x5a8\n[   47.161466]  __dev_kfree_skb_any+0x88/0xa0\n[   47.165598]  brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]\n[   47.171023]  brcmf_txfinalize+0xec/0x190 [brcmfmac]\n[   47.176016]  brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]\n[   47.182056]  brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]\n[   47.187568]  brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]\n[   47.192529]  brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]\n[   47.197859]  process_one_work+0x7fc/0x1a80\n[   47.201965]  worker_thread+0x31c/0xc40\n[   47.205726]  kthread+0x2d8/0x370\n[   47.208967]  ret_from_fork+0x10/0x18\n[   47.212546]\n[   47.214051] The buggy address belongs to the object at ffffff803f588280\n[   47.214051]  which belongs to the cache skbuff_head_cache of size 208\n[   47.227086] The buggy address is located 104 bytes inside of\n[   47.227086]  208-byte region [ffffff803f588280, ffffff803f588350)\n[   47.238814] The buggy address belongs to the page:\n[   47.243618] page:ffffffff00dd6200 refcount:1 mapcou\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"],"versions":[{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"1613a7b24f1a7467cb727ba3ec77c9a808383560","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"d79f4d903e14dde822c60b5fd3bedc5a289d25df","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"49c742afd60f552fce7799287080db02bffe1db2","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"e01d96494a9de0f48b1167f0494f6d929fa773ed","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"232d59eca07f6ea27307022a33d226aff373bd02","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"27574a3f421c3a1694d0207f37c6bbf23d66978e","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"c369836cff98d3877f98c98e15c0151462812d96","status":"affected","versionType":"git"},{"version":"b1a2a41126fc582a3d5613aa2d3e632b2eb1a2c4","lessThan":"3f42faf6db431e04bf942d2ebe3ae88975723478","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c"],"versions":[{"version":"3.9","status":"affected"},{"version":"0","lessThan":"3.9","status":"unaffected","versionType":"semver"},{"version":"4.14.296","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.262","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.220","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.150","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.75","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.17","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0.3","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"4.14.296"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"4.19.262"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.4.220"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.10.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.15.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.19.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1613a7b24f1a7467cb727ba3ec77c9a808383560"},{"url":"https://git.kernel.org/stable/c/d79f4d903e14dde822c60b5fd3bedc5a289d25df"},{"url":"https://git.kernel.org/stable/c/49c742afd60f552fce7799287080db02bffe1db2"},{"url":"https://git.kernel.org/stable/c/e01d96494a9de0f48b1167f0494f6d929fa773ed"},{"url":"https://git.kernel.org/stable/c/232d59eca07f6ea27307022a33d226aff373bd02"},{"url":"https://git.kernel.org/stable/c/27574a3f421c3a1694d0207f37c6bbf23d66978e"},{"url":"https://git.kernel.org/stable/c/c369836cff98d3877f98c98e15c0151462812d96"},{"url":"https://git.kernel.org/stable/c/3f42faf6db431e04bf942d2ebe3ae88975723478"}],"title":"wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-50408","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-01-14T19:08:23.930157Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T19:13:08.728Z"}}]}}