CVE-2021-47633: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
In the Linux kernel, the following vulnerability has been resolved:
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
Security readout for executives and security teams
Plain-English summary
CVE-2021-47633 is an out-of-bounds write in the Linux kernel ath5k wireless driver. The issue was found by fuzzing while the driver parsed calibration data. Business exposure is mainly systems that load ath5k for older Atheros wireless hardware, especially endpoints or embedded devices rather than typical servers.
Executive priority
Treat this as a targeted kernel maintenance item, not an internet-wide emergency. Patch affected Linux endpoints or embedded devices in normal security cycles, faster where ath5k hardware is present or untrusted physical access is plausible.
Technical view
The flaw is in ath5k_eeprom_read_pcal_info_5111. If no calibration curve is selected, idx can reach AR5K_EEPROM_N_PD_CURVES, and later code writes through an out-of-bounds pd_curves entry. The source notes multiple later OOB writes and a KASAN slab-out-of-bounds report during modprobe/probe initialization.
Likely exposure
Likely exposure is limited to Linux systems with affected kernels that use or load the ath5k driver. Systems without ath5k-capable wireless hardware, or where the module is unavailable or disabled, are less likely to be exposed based on the provided sources.
Exploitation context
The bundle reports fuzzing discovery and says the patch was not tested with a real device. It does not cite public exploitation, and KEV is false. The sources do not establish remote exploitability, privilege impact, or a complete attack path.
Researcher notes
Key uncertainty remains exploitability outside fuzzed EEPROM parsing. The crash occurred during driver initialization, and the report identifies slab out-of-bounds writes. Do not assume active exploitation or broad remote reach from the provided evidence.
Mitigation direction
Update to a vendor-supported kernel containing the referenced stable ath5k fixes.
Prioritize endpoints, appliances, and embedded Linux systems using older Atheros wireless adapters.
If ath5k is unnecessary, disable or remove the module using approved vendor guidance.
Track distribution advisories because package fixed versions may differ from upstream commit references.
Validation and detection
Inventory Linux systems for kernels and ath5k driver availability or use.
Identify systems with Atheros ath5k-compatible wireless hardware or module autoload behavior.
Compare installed kernel packages against vendor advisories and upstream stable fix references.
After updating, confirm the replacement kernel is running and ath5k still functions if required.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47633 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
10Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 26, 2025, 01:54 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.