CVE-2022-49416

High

Published: 26 February 2025

Published

26 February 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix use-after-free in chanctx code In ieee80211_vif_use_reserved_context(), when we have an old context and the new context's replace_state is set to IEEE80211_CHANCTX_REPLACE_NONE, we free the old context in ieee80211_vif_use_reserved_reassign(). Therefore, we cannot check the old_ctx anymore, so we should set it to NULL after this point. However, since the new_ctx replace state is clearly not IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do anything else in this function and can just return to avoid accessing the freed old_ctx.

Security Summary

CVE-2022-49416 is a use-after-free vulnerability in the Linux kernel's mac80211 WiFi subsystem, specifically within the channel context (chanctx) code. The issue occurs in the ieee80211_vif_use_reserved_context() function, where an old context is freed via ieee80211_vif_use_reserved_reassign() when the new context's replace_state is IEEE80211_CHANCTX_REPLACE_NONE. After freeing, the code fails to nullify the old_ctx pointer, potentially leading to subsequent access of the freed memory if the function continues execution. This flaw is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), as it requires only local access (AV:L) in an unscoped impact scenario (S:U). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.

Mitigation involves applying the relevant upstream kernel patches from the provided stable commit references, including 265bec4779a38b65e86a25120370f200822dfa76, 2965c4cdf7ad9ce0796fac5e57debb9519ea721e, 4ba81e794f0fad6234f644c2da1ae14d5b95e1c4, 4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c, and 6118bbdf69f4718b02d26bbcf2e497eb66004331, which fix the use-after-free by properly nullifying the old_ctx pointer and early-returning to avoid further access.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

3.17 — 4.9.318 · 4.10 — 4.14.283 · 4.15 — 4.19.247

References

https://git.kernel.org/stable/c/265bec4779a38b65e86a25120370f200822dfa76
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2965c4cdf7ad9ce0796fac5e57debb9519ea721e
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4ba81e794f0fad6234f644c2da1ae14d5b95e1c4
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6118bbdf69f4718b02d26bbcf2e497eb66004331
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/88cc8f963febe192d6ded9df7217f92f380b449a
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9f1e5cc85ad77e52f54049a94db0407445ae2a34
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b79110f2bf6022e60e590d2e094728a8eec3e79e
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67