Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50551

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
07/10/2025
Last modified:
04/02/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()<br /> <br /> This patch fixes a shift-out-of-bounds in brcmfmac that occurs in<br /> BIT(chiprev) when a &amp;#39;chiprev&amp;#39; provided by the device is too large.<br /> It should also not be equal to or greater than BITS_PER_TYPE(u32)<br /> as we do bitwise AND with a u32 variable and BIT(chiprev). The patch<br /> adds a check that makes the function return NULL if that is the case.<br /> Note that the NULL case is later handled by the bus-specific caller,<br /> brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c<br /> shift exponent 151055786 is too large for 64-bit type &amp;#39;long unsigned int&amp;#39;<br /> CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014<br /> Workqueue: usb_hub_wq hub_event<br /> Call Trace:<br /> dump_stack_lvl+0x57/0x7d<br /> ubsan_epilogue+0x5/0x40<br /> __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb<br /> ? lock_chain_count+0x20/0x20<br /> brcmf_fw_alloc_request.cold+0x19/0x3ea<br /> ? brcmf_fw_get_firmwares+0x250/0x250<br /> ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0<br /> brcmf_usb_get_fwname+0x114/0x1a0<br /> ? brcmf_usb_reset_resume+0x120/0x120<br /> ? number+0x6c4/0x9a0<br /> brcmf_c_process_clm_blob+0x168/0x590<br /> ? put_dec+0x90/0x90<br /> ? enable_ptr_key_workfn+0x20/0x20<br /> ? brcmf_common_pd_remove+0x50/0x50<br /> ? rcu_read_lock_sched_held+0xa1/0xd0<br /> brcmf_c_preinit_dcmds+0x673/0xc40<br /> ? brcmf_c_set_joinpref_default+0x100/0x100<br /> ? rcu_read_lock_sched_held+0xa1/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? lock_acquire+0x19d/0x4e0<br /> ? find_held_lock+0x2d/0x110<br /> ? brcmf_usb_deq+0x1cc/0x260<br /> ? mark_held_locks+0x9f/0xe0<br /> ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> ? _raw_spin_unlock_irqrestore+0x47/0x50<br /> ? trace_hardirqs_on+0x1c/0x120<br /> ? brcmf_usb_deq+0x1a7/0x260<br /> ? brcmf_usb_rx_fill_all+0x5a/0xf0<br /> brcmf_attach+0x246/0xd40<br /> ? wiphy_new_nm+0x1476/0x1d50<br /> ? kmemdup+0x30/0x40<br /> brcmf_usb_probe+0x12de/0x1690<br /> ? brcmf_usbdev_qinit.constprop.0+0x470/0x470<br /> usb_probe_interface+0x25f/0x710<br /> really_probe+0x1be/0xa90<br /> __driver_probe_device+0x2ab/0x460<br /> ? usb_match_id.part.0+0x88/0xc0<br /> driver_probe_device+0x49/0x120<br /> __device_attach_driver+0x18a/0x250<br /> ? driver_allows_async_probing+0x120/0x120<br /> bus_for_each_drv+0x123/0x1a0<br /> ? bus_rescan_devices+0x20/0x20<br /> ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> ? trace_hardirqs_on+0x1c/0x120<br /> __device_attach+0x207/0x330<br /> ? device_bind_driver+0xb0/0xb0<br /> ? kobject_uevent_env+0x230/0x12c0<br /> bus_probe_device+0x1a2/0x260<br /> device_add+0xa61/0x1ce0<br /> ? __mutex_unlock_slowpath+0xe7/0x660<br /> ? __fw_devlink_link_to_suppliers+0x550/0x550<br /> usb_set_configuration+0x984/0x1770<br /> ? kernfs_create_link+0x175/0x230<br /> usb_generic_driver_probe+0x69/0x90<br /> usb_probe_device+0x9c/0x220<br /> really_probe+0x1be/0xa90<br /> __driver_probe_device+0x2ab/0x460<br /> driver_probe_device+0x49/0x120<br /> __device_attach_driver+0x18a/0x250<br /> ? driver_allows_async_probing+0x120/0x120<br /> bus_for_each_drv+0x123/0x1a0<br /> ? bus_rescan_devices+0x20/0x20<br /> ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> ? trace_hardirqs_on+0x1c/0x120<br /> __device_attach+0x207/0x330<br /> ? device_bind_driver+0xb0/0xb0<br /> ? kobject_uevent_env+0x230/0x12c0<br /> bus_probe_device+0x1a2/0x260<br /> device_add+0xa61/0x1ce0<br /> ? __fw_devlink_link_to_suppliers+0x550/0x550<br /> usb_new_device.cold+0x463/0xf66<br /> ? hub_disconnect+0x400/0x400<br /> ? _raw_spin_unlock_irq+0x24/0x30<br /> hub_event+0x10d5/0x3330<br /> ? hub_port_debounce+0x280/0x280<br /> ? __lock_acquire+0x1671/0x5790<br /> ? wq_calc_node_cpumask+0x170/0x2a0<br /> ? lock_release+0x640/0x640<br /> ? rcu_read_lock_sched_held+0xa1/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> process_one_work+0x873/0x13e0<br /> ? lock_release+0x640/0x640<br /> ? pwq_dec_nr_in_flight+0x320/0x320<br /> ? rwlock_bug.part.0+0x90/0x90<br /> worker_thread+0x8b/0xd10<br /> ? __kthread_parkme+0xd9/0x1d0<br /> ? pr<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.5 (including) 4.9.337 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.305 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.270 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.229 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.163 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.1.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools