CVE-2022-50279

UNKNOWN 0.0

wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() There is a global-out-of-bounds reported by KASAN: BUG: KASAN: global-out-of-bounds in _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D 6.1.0-rc8+ #144 e15588508517267d37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), Call Trace: <TASK> ... kasan_report+0xbb/0x1c0 _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] ... </TASK> The root cause of the problem is that the comparison order of "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two strings from tail to head, which causes the problem. In the _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet this requirement by carefully designing the comparison order. For example, "pregulation" and "pbandwidth" are compared in order of length from small to large, first is 3 and last is 4. However, the comparison order of "prate_section" dose not obey such order requirement, therefore when "prate_section" is "HT", when comparing from tail to head, it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As mentioned above, the _rtl8812ae_eq_n_byte() has the same function as strcmp(), so just strcmp() is enough. Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. Although it can be fixed by adjusting the comparison order of "prate_section", this may cause the value of "rate_section" to not be from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver from staging to regular tree, but also added setting txpower limit function during the driver config phase, so the problem was introduced by this commit.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Sep 15, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

21e4b0726dc671c423e2dc9a85364716219c4502 < fc3442247716fc426bbcf62ed65e086e48a6d44f 21e4b0726dc671c423e2dc9a85364716219c4502 < 28ea268d95e57cdf6394a058f0d854206d478772 21e4b0726dc671c423e2dc9a85364716219c4502 < 1e950b9a841bc96e98ee25680d5c7aa305120be1 21e4b0726dc671c423e2dc9a85364716219c4502 < 0c962dcd6bf64b78eaffc09e497a2beb4e48bc32 21e4b0726dc671c423e2dc9a85364716219c4502 < f1fe40120de6ad4ffa8299fde035a5feba10d4fb 21e4b0726dc671c423e2dc9a85364716219c4502 < 057b52461dc005ecd85a3e4998913b1492ec0f72 21e4b0726dc671c423e2dc9a85364716219c4502 < 117dbeda22ec5ea0918254d03b540ef8b8a64d53

Linux / Linux

3.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/fc3442247716fc426bbcf62ed65e086e48a6d44f git.kernel.org: https://git.kernel.org/stable/c/28ea268d95e57cdf6394a058f0d854206d478772 git.kernel.org: https://git.kernel.org/stable/c/1e950b9a841bc96e98ee25680d5c7aa305120be1 git.kernel.org: https://git.kernel.org/stable/c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32 git.kernel.org: https://git.kernel.org/stable/c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb git.kernel.org: https://git.kernel.org/stable/c/057b52461dc005ecd85a3e4998913b1492ec0f72 git.kernel.org: https://git.kernel.org/stable/c/117dbeda22ec5ea0918254d03b540ef8b8a64d53