CVE-2022-49112 is a vulnerability identified in the Linux kernel specifically affecting the mt76 wireless driver family, focusing on the mt7921s SDIO driver. The issue arises when the driver operates in monitor mode and processes received frames containing fragment buffers. In particular, if a Clear To Send (CTS) packet is received in monitor mode, the payload size is only 10 bytes, requiring an additional 6 bytes of header padding after the RXD buffer. However, the driver only accounts for the RXD in the first linear buffer. When the skb_pull() function attempts to pull a buffer size of RXD-size plus 6 bytes, it triggers a kernel BUG due to a length inconsistency detected by the __skb_pull() function, specifically the condition "BUG_ON(skb->len < skb->data_len)". This results in a kernel crash (Oops) and a BUG report, as evidenced by the provided kernel trace logs. The root cause is the nonlinear buffer handling in the driver. The fix implemented involves enlarging the RXD size from 128 bytes to 256 bytes to ensure all MCU operations occur within a linear buffer, preventing the skb_pull() bug. This vulnerability can cause denial of service (DoS) conditions by crashing the kernel when processing specific wireless frames in monitor mode. It affects Linux kernel versions containing the vulnerable mt76 driver code prior to the patch. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected mt76 wireless drivers, especially those using the mt7921s SDIO wireless chipsets. The impact is mainly a denial of service through kernel crashes, which could disrupt network connectivity and system availability. This is particularly critical for infrastructure relying on wireless communications, such as enterprise Wi-Fi access points, embedded devices, or IoT systems using affected chipsets. In environments where monitor mode is used for network analysis or security monitoring, the vulnerability could be triggered unintentionally or maliciously by crafted wireless frames, leading to instability or outages. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic could interrupt critical services and cause operational downtime. European organizations with Linux-based wireless infrastructure or embedded devices should be aware of this risk, especially in sectors like telecommunications, manufacturing, and public services where wireless connectivity is essential.

To mitigate this vulnerability, organizations should apply the official Linux kernel patches that enlarge the RXD buffer size in the mt76 driver as soon as they become available. Until patches are deployed, disabling monitor mode on affected wireless interfaces can prevent triggering the bug, as the issue manifests specifically in monitor mode. Network administrators should audit their systems to identify devices using the mt7921s or related mt76 SDIO drivers and prioritize patching those systems. For embedded or IoT devices, firmware updates from vendors incorporating the patched kernel should be applied promptly. Additionally, implementing network segmentation and wireless frame filtering can reduce exposure to malicious or malformed CTS packets that could trigger the vulnerability. Monitoring kernel logs for BUG_ON or Oops messages related to skb_pull or mt76 drivers can help detect attempted exploit attempts or instability. Finally, organizations should maintain up-to-date inventories of Linux kernel versions and wireless hardware to ensure timely response to such vulnerabilities.