CVE-2022-50297 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: verify the expected usb_endpoints are present
The bug arises when a USB device claims to be an ATH9K but doesn't have the expected endpoints. (In this case there was an interrupt endpoint where the driver expected a bulk endpoint.) The kernel needs to be able to handle such devices without getting an internal error.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Modules linked in: CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events request_firmware_work_func RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Call Trace: ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]
ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019 ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]
ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242 request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097 process_one_work+0x9af/0x1600 kernel/workqueue.c:2279 worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425 kthread+0x3b4/0x4a0 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50297 represents a critical issue within the Linux kernel's wireless subsystem, specifically affecting the ath9k driver responsible for handling Atheros wireless network adapters. This flaw manifests when a USB device falsely identifies itself as an ath9k compatible device but fails to provide the expected USB endpoint configuration. The root cause lies in inadequate validation of USB endpoint types during device initialization, creating a scenario where the kernel's USB subsystem encounters a mismatch between expected and actual endpoint characteristics. The vulnerability specifically targets the USB bulk endpoint type expected by the ath9k driver but encounters an interrupt endpoint instead, leading to a kernel panic condition.
The technical implementation of this vulnerability stems from insufficient input validation within the USB device enumeration process. When the ath9k wireless driver attempts to initialize a USB device, it expects specific endpoint types to be present based on the device's claimed identity. However, malicious or faulty USB devices can manipulate their descriptor information to claim compatibility with the ath9k driver while failing to provide the actual hardware endpoints required. The kernel's USB core module in drivers/usb/core/urb.c line 493 encounters this inconsistency and triggers an internal error when attempting to submit USB requests. The error message "BOGUS urb xfer, pipe 3 != type 1" indicates a fundamental mismatch where the USB pipe type (3) does not correspond to the expected endpoint type (1), causing the kernel to crash during the firmware loading process.
This vulnerability creates a significant operational impact within Linux systems, particularly those utilizing USB wireless adapters or embedded systems where wireless connectivity is essential. The kernel panic condition results in complete system instability, forcing immediate system restarts and potentially causing data loss or service interruption. The issue is particularly concerning in embedded environments or IoT devices where wireless connectivity is critical for system operation, as these systems may become permanently unavailable until manual intervention occurs. The vulnerability affects systems running kernel versions where the ath9k driver handles USB wireless devices, potentially impacting a wide range of network equipment, routers, and embedded systems that rely on USB wireless connectivity. The exploitation of this vulnerability can lead to denial of service conditions that are difficult to recover from automatically, requiring manual system reboot or intervention.
Mitigation strategies for CVE-2022-50297 involve implementing robust endpoint validation within the USB device initialization process and strengthening the ath9k driver's error handling capabilities. The primary solution requires updating the kernel to versions containing the patched ath9k driver code that properly validates USB endpoint types before attempting device initialization. System administrators should prioritize kernel updates and ensure all wireless USB devices undergo proper endpoint verification during enumeration. Additionally, implementing proper USB device policy controls and monitoring for suspicious device behavior can help detect potentially malicious USB devices attempting to exploit this vulnerability. Organizations should also consider deploying network segmentation and device authentication mechanisms to prevent unauthorized USB devices from connecting to critical systems, as outlined in the MITRE ATT&CK framework's T1011.001 technique for evasion through device manipulation. The fix aligns with CWE-248, which addresses improper exception handling in software systems, and represents a fundamental requirement for secure USB device management as specified in industry security standards.