CVE-2022-49876: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() When device is running and the interface status is changed, the gpf issue is triggered. The problem triggering process is as follows: Thread A: Thread B ieee80211_runtime_change_iftype() process_one_work() ... ... ieee80211_do_stop() ... ... ... sdata->bss = NULL ... ... ieee80211_subif_start_xmit() ieee80211_multicast_to_unicast //!sdata->bss->multicast_to_unicast cause gpf issue When the interface status is changed, the sending queue continues to send packets. After the bss is set to NULL, the bss is accessed. As a result, this causes a general-protection-fault issue. The following is the stack information: general protection fault, probably for non-canonical address 0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f] Workqueue: mld mld_ifc_work RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310 Call Trace: <TASK> dev_hard_start_xmit+0x1be/0x990 __dev_queue_xmit+0x2c9a/0x3b60 ip6_finish_output2+0xf92/0x1520 ip6_finish_output+0x6af/0x11e0 ip6_output+0x1ed/0x540 mld_sendpack+0xa09/0xe70 mld_ifc_work+0x71c/0xdb0 process_one_work+0x9bf/0x1710 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2022-49876 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically within the ieee80211_subif_start_xmit() function. The flaw arises due to a race condition between two kernel threads: one that changes the interface type and stops the interface (ieee80211_runtime_change_iftype() calling ieee80211_do_stop()), and another that processes outgoing packets (process_one_work() invoking ieee80211_subif_start_xmit()). When the interface status changes, the kernel sets the Basic Service Set (BSS) pointer to NULL to indicate the interface is no longer active. However, the sending queue may continue transmitting packets, leading ieee80211_subif_start_xmit() to dereference this now NULL BSS pointer. This results in a general protection fault (GPF), a type of kernel crash caused by invalid memory access. The stack trace shows the fault occurs during multicast-to-unicast packet handling, specifically when accessing sdata->bss->multicast_to_unicast after sdata->bss is NULL. The vulnerability can cause a kernel panic or system crash, leading to denial of service (DoS). The issue is triggered by changing the wireless interface status while packets are being transmitted, exploiting a timing window in the mac80211 driver. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the given commit hashes, implying it impacts recent kernel versions prior to the patch. This flaw is a classic example of a use-after-free or null pointer dereference caused by improper synchronization in concurrent kernel operations related to wireless networking.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled, particularly those using mac80211-based Wi-Fi drivers. The impact is mainly a denial of service through kernel crashes, which can disrupt critical services and network connectivity. Enterprises relying on Linux servers, embedded devices, or network appliances with wireless interfaces could experience unexpected reboots or outages, affecting availability and operational continuity. Given the widespread use of Linux in European data centers, telecommunications infrastructure, and industrial control systems, this vulnerability could lead to service interruptions. Although it does not directly expose confidentiality or integrity risks, the induced DoS could be leveraged as part of a larger attack chain or to degrade network reliability. The lack of known exploits reduces immediate threat levels, but the vulnerability's presence in the kernel code base means attackers with local access or the ability to trigger interface status changes could exploit it. This is particularly relevant for organizations with remote management or automated network configuration systems. The vulnerability also affects embedded Linux devices common in IoT deployments across Europe, potentially impacting smart city infrastructure or industrial environments.
Mitigation Recommendations
To mitigate CVE-2022-49876, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or vendor distributions. 2) Temporarily disable or avoid changing wireless interface statuses dynamically on critical systems until patched, especially during high network load periods. 3) Implement strict access controls to limit who can modify network interface configurations, reducing the risk of malicious or accidental triggering. 4) Monitor kernel logs for general protection faults or crashes related to mac80211 to detect potential exploitation attempts. 5) For embedded or IoT devices, coordinate with vendors to ensure firmware updates include the fix. 6) Employ network segmentation to isolate vulnerable devices and limit the impact of potential DoS conditions. 7) Consider fallback wired network configurations for critical systems to maintain availability during wireless interface issues. 8) Conduct thorough testing of wireless interface management scripts or automation tools to avoid race conditions that could trigger this fault.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49876: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() When device is running and the interface status is changed, the gpf issue is triggered. The problem triggering process is as follows: Thread A: Thread B ieee80211_runtime_change_iftype() process_one_work() ... ... ieee80211_do_stop() ... ... ... sdata->bss = NULL ... ... ieee80211_subif_start_xmit() ieee80211_multicast_to_unicast //!sdata->bss->multicast_to_unicast cause gpf issue When the interface status is changed, the sending queue continues to send packets. After the bss is set to NULL, the bss is accessed. As a result, this causes a general-protection-fault issue. The following is the stack information: general protection fault, probably for non-canonical address 0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f] Workqueue: mld mld_ifc_work RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310 Call Trace: <TASK> dev_hard_start_xmit+0x1be/0x990 __dev_queue_xmit+0x2c9a/0x3b60 ip6_finish_output2+0xf92/0x1520 ip6_finish_output+0x6af/0x11e0 ip6_output+0x1ed/0x540 mld_sendpack+0xa09/0xe70 mld_ifc_work+0x71c/0xdb0 process_one_work+0x9bf/0x1710 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-49876 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically within the ieee80211_subif_start_xmit() function. The flaw arises due to a race condition between two kernel threads: one that changes the interface type and stops the interface (ieee80211_runtime_change_iftype() calling ieee80211_do_stop()), and another that processes outgoing packets (process_one_work() invoking ieee80211_subif_start_xmit()). When the interface status changes, the kernel sets the Basic Service Set (BSS) pointer to NULL to indicate the interface is no longer active. However, the sending queue may continue transmitting packets, leading ieee80211_subif_start_xmit() to dereference this now NULL BSS pointer. This results in a general protection fault (GPF), a type of kernel crash caused by invalid memory access. The stack trace shows the fault occurs during multicast-to-unicast packet handling, specifically when accessing sdata->bss->multicast_to_unicast after sdata->bss is NULL. The vulnerability can cause a kernel panic or system crash, leading to denial of service (DoS). The issue is triggered by changing the wireless interface status while packets are being transmitted, exploiting a timing window in the mac80211 driver. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the given commit hashes, implying it impacts recent kernel versions prior to the patch. This flaw is a classic example of a use-after-free or null pointer dereference caused by improper synchronization in concurrent kernel operations related to wireless networking.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled, particularly those using mac80211-based Wi-Fi drivers. The impact is mainly a denial of service through kernel crashes, which can disrupt critical services and network connectivity. Enterprises relying on Linux servers, embedded devices, or network appliances with wireless interfaces could experience unexpected reboots or outages, affecting availability and operational continuity. Given the widespread use of Linux in European data centers, telecommunications infrastructure, and industrial control systems, this vulnerability could lead to service interruptions. Although it does not directly expose confidentiality or integrity risks, the induced DoS could be leveraged as part of a larger attack chain or to degrade network reliability. The lack of known exploits reduces immediate threat levels, but the vulnerability's presence in the kernel code base means attackers with local access or the ability to trigger interface status changes could exploit it. This is particularly relevant for organizations with remote management or automated network configuration systems. The vulnerability also affects embedded Linux devices common in IoT deployments across Europe, potentially impacting smart city infrastructure or industrial environments.
Mitigation Recommendations
To mitigate CVE-2022-49876, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or vendor distributions. 2) Temporarily disable or avoid changing wireless interface statuses dynamically on critical systems until patched, especially during high network load periods. 3) Implement strict access controls to limit who can modify network interface configurations, reducing the risk of malicious or accidental triggering. 4) Monitor kernel logs for general protection faults or crashes related to mac80211 to detect potential exploitation attempts. 5) For embedded or IoT devices, coordinate with vendors to ensure firmware updates include the fix. 6) Employ network segmentation to isolate vulnerable devices and limit the impact of potential DoS conditions. 7) Consider fallback wired network configurations for critical systems to maintain availability during wireless interface issues. 8) Conduct thorough testing of wireless interface management scripts or automation tools to avoid race conditions that could trigger this fault.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.238Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4f02
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 2:55:50 AM
Last updated: 8/14/2025, 3:22:37 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.