CVE-2022-49290: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix potential double free on mesh join While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") fixed a memory leak on mesh leave / teardown it introduced a potential memory corruption caused by a double free when rejoining the mesh: ieee80211_leave_mesh() -> kfree(sdata->u.mesh.ie); ... ieee80211_join_mesh() -> copy_mesh_setup() -> old_ie = ifmsh->ie; -> kfree(old_ie); This double free / kernel panics can be reproduced by using wpa_supplicant with an encrypted mesh (if set up without encryption via "iw" then ifmsh->ie is always NULL, which avoids this issue). And then calling: $ iw dev mesh0 mesh leave $ iw dev mesh0 mesh join my-mesh Note that typically these commands are not used / working when using wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids the memory corruption, too. The issue was first observed in an application which was not using wpa_supplicant but "Senf" instead, which implements its own calls to nl80211. Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh join function and leaving it solely up to the mesh leave to free the mesh IE.
AI Analysis
Technical Summary
CVE-2022-49290 is a vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of mesh networking interfaces. The issue arises from a double free condition during the process of leaving and rejoining a mesh network. Originally, a commit intended to fix a memory leak when leaving a mesh network introduced this double free vulnerability. The problem occurs because the mesh interface element (IE) data is freed both when leaving the mesh and again when joining it, leading to potential memory corruption and kernel panics. This can be triggered by executing commands to leave and then join a mesh network interface, for example using the 'iw' tool. The vulnerability is particularly relevant when using encrypted mesh networks without the typical protections provided by wpa_supplicant, as wpa_supplicant or wpa_cli usually reset the mesh IE during network interface down/up cycles, which prevents the double free. However, alternative mesh management tools like "Senf" that directly use nl80211 without these safeguards can trigger the issue. The root cause is the redundant freeing of the mesh IE data in both the leave and join functions, and the fix involves removing the kfree() call from the join function, leaving the responsibility solely to the leave function. This vulnerability affects multiple Linux kernel versions and could lead to kernel crashes or memory corruption if exploited.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing Linux-based mesh networking, especially those using custom or less common mesh management tools that do not implement the safeguards found in wpa_supplicant. Exploitation could lead to denial of service through kernel panics, potentially disrupting critical wireless mesh networks used in enterprise, industrial, or public infrastructure environments. This could affect availability of network services, impacting operations reliant on wireless mesh connectivity such as IoT deployments, smart city infrastructure, or secure communications in remote or distributed sites. While no known exploits are currently reported in the wild, the vulnerability could be leveraged by attackers with local access or the ability to execute commands on affected systems to cause instability or crashes. Confidentiality and integrity impacts are limited since the vulnerability primarily causes memory corruption and crashes rather than direct data leakage or privilege escalation. However, the disruption of network services could indirectly affect business continuity and operational security.
Mitigation Recommendations
European organizations should ensure that Linux kernel versions deployed are updated to include the patch that removes the redundant kfree() call in the mesh join function. Specifically, kernel updates incorporating the fix from commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 or later should be applied promptly. Organizations using alternative mesh management tools like "Senf" should audit their mesh network configurations and consider switching to or integrating wpa_supplicant or similar tools that handle mesh IE data safely. Network administrators should avoid manual mesh leave/join operations without proper safeguards and monitor for unusual kernel panics or crashes related to mesh interfaces. Additionally, implementing kernel crash monitoring and automated recovery mechanisms can reduce downtime. For critical environments, isolating mesh network management interfaces and restricting local access to trusted administrators can reduce the risk of exploitation. Finally, organizations should track Linux kernel security advisories and subscribe to vendor notifications to stay informed about patches and related vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2022-49290: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix potential double free on mesh join While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") fixed a memory leak on mesh leave / teardown it introduced a potential memory corruption caused by a double free when rejoining the mesh: ieee80211_leave_mesh() -> kfree(sdata->u.mesh.ie); ... ieee80211_join_mesh() -> copy_mesh_setup() -> old_ie = ifmsh->ie; -> kfree(old_ie); This double free / kernel panics can be reproduced by using wpa_supplicant with an encrypted mesh (if set up without encryption via "iw" then ifmsh->ie is always NULL, which avoids this issue). And then calling: $ iw dev mesh0 mesh leave $ iw dev mesh0 mesh join my-mesh Note that typically these commands are not used / working when using wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids the memory corruption, too. The issue was first observed in an application which was not using wpa_supplicant but "Senf" instead, which implements its own calls to nl80211. Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh join function and leaving it solely up to the mesh leave to free the mesh IE.
AI-Powered Analysis
Technical Analysis
CVE-2022-49290 is a vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of mesh networking interfaces. The issue arises from a double free condition during the process of leaving and rejoining a mesh network. Originally, a commit intended to fix a memory leak when leaving a mesh network introduced this double free vulnerability. The problem occurs because the mesh interface element (IE) data is freed both when leaving the mesh and again when joining it, leading to potential memory corruption and kernel panics. This can be triggered by executing commands to leave and then join a mesh network interface, for example using the 'iw' tool. The vulnerability is particularly relevant when using encrypted mesh networks without the typical protections provided by wpa_supplicant, as wpa_supplicant or wpa_cli usually reset the mesh IE during network interface down/up cycles, which prevents the double free. However, alternative mesh management tools like "Senf" that directly use nl80211 without these safeguards can trigger the issue. The root cause is the redundant freeing of the mesh IE data in both the leave and join functions, and the fix involves removing the kfree() call from the join function, leaving the responsibility solely to the leave function. This vulnerability affects multiple Linux kernel versions and could lead to kernel crashes or memory corruption if exploited.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing Linux-based mesh networking, especially those using custom or less common mesh management tools that do not implement the safeguards found in wpa_supplicant. Exploitation could lead to denial of service through kernel panics, potentially disrupting critical wireless mesh networks used in enterprise, industrial, or public infrastructure environments. This could affect availability of network services, impacting operations reliant on wireless mesh connectivity such as IoT deployments, smart city infrastructure, or secure communications in remote or distributed sites. While no known exploits are currently reported in the wild, the vulnerability could be leveraged by attackers with local access or the ability to execute commands on affected systems to cause instability or crashes. Confidentiality and integrity impacts are limited since the vulnerability primarily causes memory corruption and crashes rather than direct data leakage or privilege escalation. However, the disruption of network services could indirectly affect business continuity and operational security.
Mitigation Recommendations
European organizations should ensure that Linux kernel versions deployed are updated to include the patch that removes the redundant kfree() call in the mesh join function. Specifically, kernel updates incorporating the fix from commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 or later should be applied promptly. Organizations using alternative mesh management tools like "Senf" should audit their mesh network configurations and consider switching to or integrating wpa_supplicant or similar tools that handle mesh IE data safely. Network administrators should avoid manual mesh leave/join operations without proper safeguards and monitor for unusual kernel panics or crashes related to mesh interfaces. Additionally, implementing kernel crash monitoring and automated recovery mechanisms can reduce downtime. For critical environments, isolating mesh network management interfaces and restricting local access to trusted administrators can reduce the risk of exploitation. Finally, organizations should track Linux kernel security advisories and subscribe to vendor notifications to stay informed about patches and related vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.302Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd637
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/28/2025, 12:27:22 AM
Last updated: 7/29/2025, 12:21:37 AM
Views: 8
Related Threats
CVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8984: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.