CVE-2022-48876: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix initialization of rx->link and rx->link_sta There are some codepaths that do not initialize rx->link_sta properly. This causes a crash in places which assume that rx->link_sta is valid if rx->sta is valid. One known instance is triggered by __ieee80211_rx_h_amsdu being called from fast-rx. It results in a crash like this one: BUG: kernel NULL pointer dereference, address: 00000000000000a8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3 Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014 RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211] Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0 11 00 00 8d 50 fd 83 fa 01 RSP: 0018:ffff999040803b10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900 R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000 FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0 Call Trace: <TASK> __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211] ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? __local_bh_enable_ip+0x3b/0xa0 ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? prepare_transfer+0x109/0x1a0 [xhci_hcd] ieee80211_rx_list+0xa80/0xda0 [mac80211] mt76_rx_complete+0x207/0x2e0 [mt76] mt76_rx_poll_complete+0x357/0x5a0 [mt76] mt76u_rx_worker+0x4f5/0x600 [mt76_usb] ? mt76_get_min_avg_rssi+0x140/0x140 [mt76] __mt76_worker_fn+0x50/0x80 [mt76] kthread+0xed/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Since the initialization of rx->link and rx->link_sta is rather convoluted and duplicated in many places, clean it up by using a helper function to set it. [remove unnecessary rx->sta->sta.mlo check]
AI Analysis
Technical Summary
CVE-2022-48876 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically related to the initialization of the rx->link and rx->link_sta pointers within the receive (rx) path of Wi-Fi packet processing. The flaw arises because certain code paths fail to properly initialize rx->link_sta, which is assumed valid when rx->sta is valid. This improper initialization can lead to a NULL pointer dereference, causing a kernel crash (kernel oops) when the system attempts to access or write to an invalid memory address. The vulnerability is triggered during the handling of aggregated MAC service data units (A-MSDU) in the function __ieee80211_rx_h_amsdu, which is called from the fast-rx path. The crash manifests as a supervisor write access fault with a NULL pointer dereference at a low memory address (0xA8), as demonstrated in the provided kernel oops log. The root cause is the convoluted and duplicated initialization logic for rx->link and rx->link_sta, which was addressed by refactoring the code to use a helper function ensuring proper initialization. This vulnerability affects Linux kernel versions containing the specified commit (ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131) and likely impacts distributions using these kernel versions. The flaw does not require user interaction or authentication to be triggered; it can be exploited by processing crafted Wi-Fi frames, potentially by an attacker within wireless range. No known exploits are currently reported in the wild. The vulnerability primarily leads to denial of service (DoS) through kernel crashes, impacting system availability and stability. Confidentiality and integrity impacts are not directly indicated by this flaw. The vulnerability is relevant to systems using the mac80211 stack, which is common in many Linux-based devices, including servers, desktops, embedded systems, and IoT devices with Wi-Fi capabilities.
Potential Impact
For European organizations, the primary impact of CVE-2022-48876 is the potential for denial of service on Linux systems utilizing affected kernel versions with mac80211 Wi-Fi drivers. This can disrupt critical services, especially in environments relying on wireless connectivity for operational continuity, such as enterprise networks, industrial control systems, and public infrastructure. Systems that handle sensitive or critical workloads may experience unexpected reboots or crashes, leading to downtime and potential loss of productivity. While the vulnerability does not directly expose data confidentiality or integrity, the resulting instability could be leveraged as part of a broader attack chain or cause operational disruptions. Organizations with Linux-based Wi-Fi infrastructure, including access points, routers, or endpoint devices, are at risk if attackers are within wireless range and can send crafted frames to trigger the crash. This risk is heightened in environments with dense wireless deployments or public-facing Wi-Fi networks. Additionally, embedded Linux devices used in sectors like manufacturing, healthcare, and transportation across Europe may be affected, potentially impacting safety and service availability.
Mitigation Recommendations
To mitigate CVE-2022-48876, European organizations should: 1) Apply the latest Linux kernel updates and patches from their distribution vendors that include the fix for this vulnerability. Since the issue is resolved by refactoring the initialization logic, updated kernels should be prioritized. 2) For devices where kernel updates are not immediately feasible, consider disabling or restricting Wi-Fi interfaces using the mac80211 stack, especially in sensitive or critical environments, to reduce exposure. 3) Implement network segmentation and wireless intrusion detection/prevention systems (WIDS/WIPS) to monitor and block suspicious Wi-Fi frames or anomalous traffic patterns that could exploit this flaw. 4) Limit physical and wireless access to trusted users and devices, employing strong Wi-Fi authentication and encryption to reduce the risk of attackers sending malicious frames. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to Wi-Fi packet processing. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely deployment of patches and firmware updates. 7) For embedded or IoT devices, verify vendor firmware updates addressing this vulnerability and apply them promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-48876: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix initialization of rx->link and rx->link_sta There are some codepaths that do not initialize rx->link_sta properly. This causes a crash in places which assume that rx->link_sta is valid if rx->sta is valid. One known instance is triggered by __ieee80211_rx_h_amsdu being called from fast-rx. It results in a crash like this one: BUG: kernel NULL pointer dereference, address: 00000000000000a8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3 Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014 RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211] Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0 11 00 00 8d 50 fd 83 fa 01 RSP: 0018:ffff999040803b10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900 R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000 FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0 Call Trace: <TASK> __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211] ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? __local_bh_enable_ip+0x3b/0xa0 ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211] ? prepare_transfer+0x109/0x1a0 [xhci_hcd] ieee80211_rx_list+0xa80/0xda0 [mac80211] mt76_rx_complete+0x207/0x2e0 [mt76] mt76_rx_poll_complete+0x357/0x5a0 [mt76] mt76u_rx_worker+0x4f5/0x600 [mt76_usb] ? mt76_get_min_avg_rssi+0x140/0x140 [mt76] __mt76_worker_fn+0x50/0x80 [mt76] kthread+0xed/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Since the initialization of rx->link and rx->link_sta is rather convoluted and duplicated in many places, clean it up by using a helper function to set it. [remove unnecessary rx->sta->sta.mlo check]
AI-Powered Analysis
Technical Analysis
CVE-2022-48876 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically related to the initialization of the rx->link and rx->link_sta pointers within the receive (rx) path of Wi-Fi packet processing. The flaw arises because certain code paths fail to properly initialize rx->link_sta, which is assumed valid when rx->sta is valid. This improper initialization can lead to a NULL pointer dereference, causing a kernel crash (kernel oops) when the system attempts to access or write to an invalid memory address. The vulnerability is triggered during the handling of aggregated MAC service data units (A-MSDU) in the function __ieee80211_rx_h_amsdu, which is called from the fast-rx path. The crash manifests as a supervisor write access fault with a NULL pointer dereference at a low memory address (0xA8), as demonstrated in the provided kernel oops log. The root cause is the convoluted and duplicated initialization logic for rx->link and rx->link_sta, which was addressed by refactoring the code to use a helper function ensuring proper initialization. This vulnerability affects Linux kernel versions containing the specified commit (ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131) and likely impacts distributions using these kernel versions. The flaw does not require user interaction or authentication to be triggered; it can be exploited by processing crafted Wi-Fi frames, potentially by an attacker within wireless range. No known exploits are currently reported in the wild. The vulnerability primarily leads to denial of service (DoS) through kernel crashes, impacting system availability and stability. Confidentiality and integrity impacts are not directly indicated by this flaw. The vulnerability is relevant to systems using the mac80211 stack, which is common in many Linux-based devices, including servers, desktops, embedded systems, and IoT devices with Wi-Fi capabilities.
Potential Impact
For European organizations, the primary impact of CVE-2022-48876 is the potential for denial of service on Linux systems utilizing affected kernel versions with mac80211 Wi-Fi drivers. This can disrupt critical services, especially in environments relying on wireless connectivity for operational continuity, such as enterprise networks, industrial control systems, and public infrastructure. Systems that handle sensitive or critical workloads may experience unexpected reboots or crashes, leading to downtime and potential loss of productivity. While the vulnerability does not directly expose data confidentiality or integrity, the resulting instability could be leveraged as part of a broader attack chain or cause operational disruptions. Organizations with Linux-based Wi-Fi infrastructure, including access points, routers, or endpoint devices, are at risk if attackers are within wireless range and can send crafted frames to trigger the crash. This risk is heightened in environments with dense wireless deployments or public-facing Wi-Fi networks. Additionally, embedded Linux devices used in sectors like manufacturing, healthcare, and transportation across Europe may be affected, potentially impacting safety and service availability.
Mitigation Recommendations
To mitigate CVE-2022-48876, European organizations should: 1) Apply the latest Linux kernel updates and patches from their distribution vendors that include the fix for this vulnerability. Since the issue is resolved by refactoring the initialization logic, updated kernels should be prioritized. 2) For devices where kernel updates are not immediately feasible, consider disabling or restricting Wi-Fi interfaces using the mac80211 stack, especially in sensitive or critical environments, to reduce exposure. 3) Implement network segmentation and wireless intrusion detection/prevention systems (WIDS/WIPS) to monitor and block suspicious Wi-Fi frames or anomalous traffic patterns that could exploit this flaw. 4) Limit physical and wireless access to trusted users and devices, employing strong Wi-Fi authentication and encryption to reduce the risk of attackers sending malicious frames. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to Wi-Fi packet processing. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely deployment of patches and firmware updates. 7) For embedded or IoT devices, verify vendor firmware updates addressing this vulnerability and apply them promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.922Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6479
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:09:35 PM
Last updated: 8/6/2025, 1:44:55 PM
Views: 10
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.