CVE-2022-48875 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of AMPDU (Aggregated MAC Protocol Data Unit) start operations. The vulnerability arises from a race condition where the sdata pointer, which represents the software data context for a Basic Service Set (BSS), can become NULL during the initiation of an AMPDU session. This situation occurs when a deauthentication process is concurrently ongoing, leading to a use-after-free or null pointer dereference scenario. The vulnerability is triggered in the function ieee80211_tx_ba_session_handle_start(), which manages Block Acknowledgement (BA) sessions for wireless transmissions. During the race, if a deauthentication event removes the station (STA) data structure, sdata becomes invalid, but the function continues to operate on it, causing a kernel crash (BUG) due to an unhandled page fault. The provided debug trace demonstrates the kernel oops and stack trace leading to the fault, indicating a critical flaw in concurrency control within the mac80211 driver operations. This flaw could be exploited to cause a denial of service (DoS) by crashing the kernel, potentially impacting wireless connectivity and system stability. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems running wireless access points or clients using the mac80211 stack. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue was reserved in mid-July 2024 and published in August 2024, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to any infrastructure relying on Linux-based wireless networking, including enterprise Wi-Fi access points, routers, and client devices using the mac80211 stack. The primary impact is a denial of service condition caused by kernel crashes, which can disrupt wireless connectivity and potentially lead to broader system instability or downtime. This is particularly critical for sectors that depend on continuous wireless availability, such as telecommunications, finance, healthcare, and critical infrastructure. The vulnerability could be triggered remotely if an attacker can induce deauthentication frames or manipulate wireless sessions, potentially causing widespread disruption in corporate or public Wi-Fi environments. Although no privilege escalation or data leakage is indicated, the loss of availability can have cascading effects on business operations and service delivery. Given the prevalence of Linux in networking equipment and servers across Europe, the impact could be substantial if unpatched systems are exploited, especially in environments with high wireless traffic and multiple connected clients.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernel to the latest patched versions that address CVE-2022-48875. Since the issue stems from a race condition in the mac80211 driver, applying vendor-supplied kernel patches or upgrading to a kernel version released after the fix is essential. Network administrators should audit wireless infrastructure to identify devices running vulnerable kernel versions and schedule immediate patching. Additionally, organizations can implement network-level controls to monitor and restrict deauthentication frames or suspicious wireless management traffic that could trigger the race condition. Employing wireless intrusion detection/prevention systems (WIDS/WIPS) to detect anomalous deauthentication attempts can reduce exploitation risk. For critical systems where immediate patching is not feasible, temporarily disabling or limiting wireless functionality or isolating affected devices on separate network segments may reduce exposure. Finally, organizations should maintain robust incident response plans to quickly address potential DoS incidents affecting wireless connectivity.