{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50279", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T13:58:00.976Z", "datePublished": "2025-09-15T14:21:16.051Z", "dateUpdated": "2025-09-15T14:21:16.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:21:16.051Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()\n\nThere is a global-out-of-bounds reported by KASAN:\n\n BUG: KASAN: global-out-of-bounds in\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411\n\n CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D\n 6.1.0-rc8+ #144 e15588508517267d37\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),\n Call Trace:\n <TASK>\n ...\n kasan_report+0xbb/0x1c0\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]\n rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]\n ...\n </TASK>\n\nThe root cause of the problem is that the comparison order of\n\"prate_section\" in _rtl8812ae_phy_set_txpower_limit() is wrong. The\n_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two\nstrings from tail to head, which causes the problem. In the\n_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet\nthis requirement by carefully designing the comparison order.\nFor example, \"pregulation\" and \"pbandwidth\" are compared in order of\nlength from small to large, first is 3 and last is 4. However, the\ncomparison order of \"prate_section\" dose not obey such order requirement,\ntherefore when \"prate_section\" is \"HT\", when comparing from tail to head,\nit will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As\nmentioned above, the _rtl8812ae_eq_n_byte() has the same function as\nstrcmp(), so just strcmp() is enough.\n\nFix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.\nAlthough it can be fixed by adjusting the comparison order of\n\"prate_section\", this may cause the value of \"rate_section\" to not be\nfrom 0 to 5. In addition, commit \"21e4b0726dc6\" not only moved driver\nfrom staging to regular tree, but also added setting txpower limit\nfunction during the driver config phase, so the problem was introduced\nby this commit."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c"], "versions": [{"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "fc3442247716fc426bbcf62ed65e086e48a6d44f", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "28ea268d95e57cdf6394a058f0d854206d478772", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "1e950b9a841bc96e98ee25680d5c7aa305120be1", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "0c962dcd6bf64b78eaffc09e497a2beb4e48bc32", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "f1fe40120de6ad4ffa8299fde035a5feba10d4fb", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "057b52461dc005ecd85a3e4998913b1492ec0f72", "status": "affected", "versionType": "git"}, {"version": "21e4b0726dc671c423e2dc9a85364716219c4502", "lessThan": "117dbeda22ec5ea0918254d03b540ef8b8a64d53", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c"], "versions": [{"version": "3.18", "status": "affected"}, {"version": "0", "lessThan": "3.18", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.276", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.235", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.99", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.16", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.3", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "4.19.276"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "5.4.235"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "5.15.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.1.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.2.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fc3442247716fc426bbcf62ed65e086e48a6d44f"}, {"url": "https://git.kernel.org/stable/c/28ea268d95e57cdf6394a058f0d854206d478772"}, {"url": "https://git.kernel.org/stable/c/1e950b9a841bc96e98ee25680d5c7aa305120be1"}, {"url": "https://git.kernel.org/stable/c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32"}, {"url": "https://git.kernel.org/stable/c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb"}, {"url": "https://git.kernel.org/stable/c/057b52461dc005ecd85a3e4998913b1492ec0f72"}, {"url": "https://git.kernel.org/stable/c/117dbeda22ec5ea0918254d03b540ef8b8a64d53"}], "title": "wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()\n\nThere is a global-out-of-bounds reported by KASAN:\n\n BUG: KASAN: global-out-of-bounds in\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411\n\n CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D\n 6.1.0-rc8+ #144 e15588508517267d37\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),\n Call Trace:\n <TASK>\n ...\n kasan_report+0xbb/0x1c0\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]\n rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]\n ...\n </TASK>\n\nThe root cause of the problem is that the comparison order of\n\"prate_section\" in _rtl8812ae_phy_set_txpower_limit() is wrong. The\n_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two\nstrings from tail to head, which causes the problem. In the\n_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet\nthis requirement by carefully designing the comparison order.\nFor example, \"pregulation\" and \"pbandwidth\" are compared in order of\nlength from small to large, first is 3 and last is 4. However, the\ncomparison order of \"prate_section\" dose not obey such order requirement,\ntherefore when \"prate_section\" is \"HT\", when comparing from tail to head,\nit will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As\nmentioned above, the _rtl8812ae_eq_n_byte() has the same function as\nstrcmp(), so just strcmp() is enough.\n\nFix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.\nAlthough it can be fixed by adjusting the comparison order of\n\"prate_section\", this may cause the value of \"rate_section\" to not be\nfrom 0 to 5. In addition, commit \"21e4b0726dc6\" not only moved driver\nfrom staging to regular tree, but also added setting txpower limit\nfunction during the driver config phase, so the problem was introduced\nby this commit."}], "id": "CVE-2022-50279", "lastModified": "2025-09-15T15:22:27.090", "metrics": {}, "published": "2025-09-15T15:15:38.940", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/057b52461dc005ecd85a3e4998913b1492ec0f72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/117dbeda22ec5ea0918254d03b540ef8b8a64d53"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e950b9a841bc96e98ee25680d5c7aa305120be1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/28ea268d95e57cdf6394a058f0d854206d478772"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fc3442247716fc426bbcf62ed65e086e48a6d44f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}