CVE-2022-49740: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads This patch fixes slab-out-of-bounds reads in brcmfmac that occur in brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count value of channel specifications provided by the device is greater than the length of 'list->element[]', decided by the size of the 'list' allocated with kzalloc(). The patch adds checks that make the functions free the buffer and return -EINVAL if that is the case. Note that the negative return is handled by the caller, brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). Found by a modified version of syzkaller. Crash Report from brcmf_construct_chaninfo(): ================================================================== BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf brcmf_setup_wiphybands+0x1238/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 Allocated by task 1896: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 kmem_cache_alloc_trace+0x19e/0x330 brcmf_setup_wiphybands+0x290/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888115f24000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888115f24000, ffff888115f24800) Memory state around the buggy address: ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Crash Report from brcmf_enable_bw40_2g(): ========== ---truncated---
AI Analysis
Technical Summary
CVE-2022-49740 is a vulnerability identified in the Linux kernel's Broadcom FullMAC wireless driver (brcmfmac), specifically affecting the handling of channel specifications within the Wi-Fi subsystem. The flaw arises from insufficient validation of the 'count' value representing the number of channel specifications provided by the device. When this count exceeds the allocated size of the internal list buffer, it leads to slab-out-of-bounds reads in the functions brcmf_construct_chaninfo() and brcmf_enable_bw40_2g(). This improper bounds checking causes the kernel to read memory beyond the allocated buffer, potentially leading to kernel crashes or undefined behavior. The vulnerability was discovered using a modified syzkaller fuzzing tool and is evidenced by Kernel Address Sanitizer (KASAN) reports showing out-of-bounds reads during the setup of wireless PHY bands. The patch introduced adds explicit checks to verify the count against the allocated buffer size, freeing the buffer and returning an error (-EINVAL) if the count is invalid, thereby preventing the out-of-bounds access. The negative return is handled by the caller functions to avoid further processing of malformed data. This vulnerability affects Linux kernel versions prior to the patch and is specifically tied to the Broadcom brcmfmac driver used in various wireless devices. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected brcmfmac driver enabled, which is common in devices using Broadcom FullMAC Wi-Fi chipsets. Potential impacts include kernel crashes leading to denial of service (DoS) conditions, which could disrupt critical network connectivity, especially in environments relying on wireless communication. Although the vulnerability involves out-of-bounds reads rather than writes, the risk of information leakage or escalation is limited but cannot be entirely ruled out without further exploit analysis. Systems in sectors such as telecommunications, manufacturing, and critical infrastructure that utilize embedded Linux devices or network equipment with Broadcom Wi-Fi components may be particularly vulnerable. The disruption of wireless connectivity could impact operational continuity, remote management, and IoT device functionality. Given the kernel-level nature of the flaw, exploitation could affect system stability and availability, potentially impacting business operations and service delivery.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that addresses CVE-2022-49740. Specifically, ensure that the Linux kernel is updated to versions released after the fix was introduced, which includes the added validation checks in brcmfmac driver code. For embedded systems or devices where kernel updates are not immediately feasible, consider disabling or limiting the use of affected Broadcom Wi-Fi interfaces if possible. Network segmentation and strict access controls should be enforced to minimize exposure of vulnerable devices to untrusted networks. Monitoring kernel logs for KASAN or related error messages can help detect attempts to trigger the vulnerability. Additionally, organizations should maintain an inventory of devices using Broadcom FullMAC Wi-Fi chipsets and assess their patch status. Collaborating with device vendors to obtain updated firmware or kernel versions is advisable. Employing intrusion detection systems capable of identifying anomalous wireless driver behavior may provide early warning of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49740: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads This patch fixes slab-out-of-bounds reads in brcmfmac that occur in brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count value of channel specifications provided by the device is greater than the length of 'list->element[]', decided by the size of the 'list' allocated with kzalloc(). The patch adds checks that make the functions free the buffer and return -EINVAL if that is the case. Note that the negative return is handled by the caller, brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). Found by a modified version of syzkaller. Crash Report from brcmf_construct_chaninfo(): ================================================================== BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf brcmf_setup_wiphybands+0x1238/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 Allocated by task 1896: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 kmem_cache_alloc_trace+0x19e/0x330 brcmf_setup_wiphybands+0x290/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888115f24000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888115f24000, ffff888115f24800) Memory state around the buggy address: ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Crash Report from brcmf_enable_bw40_2g(): ========== ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49740 is a vulnerability identified in the Linux kernel's Broadcom FullMAC wireless driver (brcmfmac), specifically affecting the handling of channel specifications within the Wi-Fi subsystem. The flaw arises from insufficient validation of the 'count' value representing the number of channel specifications provided by the device. When this count exceeds the allocated size of the internal list buffer, it leads to slab-out-of-bounds reads in the functions brcmf_construct_chaninfo() and brcmf_enable_bw40_2g(). This improper bounds checking causes the kernel to read memory beyond the allocated buffer, potentially leading to kernel crashes or undefined behavior. The vulnerability was discovered using a modified syzkaller fuzzing tool and is evidenced by Kernel Address Sanitizer (KASAN) reports showing out-of-bounds reads during the setup of wireless PHY bands. The patch introduced adds explicit checks to verify the count against the allocated buffer size, freeing the buffer and returning an error (-EINVAL) if the count is invalid, thereby preventing the out-of-bounds access. The negative return is handled by the caller functions to avoid further processing of malformed data. This vulnerability affects Linux kernel versions prior to the patch and is specifically tied to the Broadcom brcmfmac driver used in various wireless devices. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected brcmfmac driver enabled, which is common in devices using Broadcom FullMAC Wi-Fi chipsets. Potential impacts include kernel crashes leading to denial of service (DoS) conditions, which could disrupt critical network connectivity, especially in environments relying on wireless communication. Although the vulnerability involves out-of-bounds reads rather than writes, the risk of information leakage or escalation is limited but cannot be entirely ruled out without further exploit analysis. Systems in sectors such as telecommunications, manufacturing, and critical infrastructure that utilize embedded Linux devices or network equipment with Broadcom Wi-Fi components may be particularly vulnerable. The disruption of wireless connectivity could impact operational continuity, remote management, and IoT device functionality. Given the kernel-level nature of the flaw, exploitation could affect system stability and availability, potentially impacting business operations and service delivery.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that addresses CVE-2022-49740. Specifically, ensure that the Linux kernel is updated to versions released after the fix was introduced, which includes the added validation checks in brcmfmac driver code. For embedded systems or devices where kernel updates are not immediately feasible, consider disabling or limiting the use of affected Broadcom Wi-Fi interfaces if possible. Network segmentation and strict access controls should be enforced to minimize exposure of vulnerable devices to untrusted networks. Monitoring kernel logs for KASAN or related error messages can help detect attempts to trigger the vulnerability. Additionally, organizations should maintain an inventory of devices using Broadcom FullMAC Wi-Fi chipsets and assess their patch status. Collaborating with device vendors to obtain updated firmware or kernel versions is advisable. Employing intrusion detection systems capable of identifying anomalous wireless driver behavior may provide early warning of exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-27T16:39:17.986Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe49db
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:55:42 AM
Last updated: 7/27/2025, 12:55:03 AM
Views: 8
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.