CVE-2022-49479

In the Linux kernel, the following vulnerability has been resolved: mt76: fix tx status related use-after-free race on station removal There is a small race window where ongoing tx activity can lead to a skb getting added to the status tracking idr after that idr has already been cleaned up, which will keep the wcid linked in the status poll list. Fix this by only adding status skbs if the wcid pointer is still assigned in dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/ddd426d72aca4054045a9bd3b80a4ce1d398f11f	Patch
https://git.kernel.org/stable/c/ef7f9f894cfd0b2e471206409a529af4a26ddd55	Patch
https://git.kernel.org/stable/c/fcfe1b5e162bf473c1d47760962cec8523c00466	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-02-26 07:01

Updated : 2025-03-24 19:59

NVD link : CVE-2022-49479

Mitre link : CVE-2022-49479

CVE.ORG link : CVE-2022-49479

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2022-49479", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:24.153", "references": [{"url": "https://git.kernel.org/stable/c/ddd426d72aca4054045a9bd3b80a4ce1d398f11f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef7f9f894cfd0b2e471206409a529af4a26ddd55", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fcfe1b5e162bf473c1d47760962cec8523c00466", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix tx status related use-after-free race on station removal\n\nThere is a small race window where ongoing tx activity can lead to a skb\ngetting added to the status tracking idr after that idr has already been\ncleaned up, which will keep the wcid linked in the status poll list.\nFix this by only adding status skbs if the wcid pointer is still assigned\nin dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mt76: se corrige la ejecuci\u00f3n de use-after-free relacionada con el estado de la tx al eliminar la estaci\u00f3n. Hay una peque\u00f1a ventana de ejecuci\u00f3n donde la actividad de tx en curso puede provocar que se agregue un skb al idr de seguimiento de estado despu\u00e9s de que ese idr ya se haya limpiado, lo que mantendr\u00e1 el wcid vinculado en la lista de sondeo de estado. Solucione esto agregando skbs de estado solo si el puntero wcid a\u00fan est\u00e1 asignado en dev->wcid, que se limpia antes con mt76_sta_pre_rcu_remove"}], "lastModified": "2025-03-24T19:59:14.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}