CVE-2022-41674 Overview
CVE-2022-41674 is a buffer overflow vulnerability discovered in the Linux kernel before version 5.19.16. The flaw exists in the ieee80211_bss_info_update function located in net/mac80211/scan.c. Attackers who are able to inject WLAN frames can exploit this vulnerability to cause a buffer overflow, potentially leading to information disclosure or denial of service conditions on affected systems.
Critical Impact
Adjacent network attackers can exploit this WLAN frame injection vulnerability to cause buffer overflows, potentially compromising system confidentiality and availability without requiring authentication or user interaction.
Affected Products
- Linux Kernel (versions prior to 5.19.16)
- Fedora 35, 36, and 37
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2022-10-14 - CVE-2022-41674 published to NVD
- 2025-05-15 - Last updated in NVD database
Technical Details for CVE-2022-41674
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the affected code writes data past the boundaries of allocated memory buffers. The flaw resides in the mac80211 subsystem, which handles the IEEE 802.11 wireless networking stack in the Linux kernel.
The ieee80211_bss_info_update function processes incoming WLAN frames during network scanning operations. When parsing maliciously crafted frame data, insufficient boundary checks allow an attacker to trigger a buffer overflow condition. This can corrupt adjacent memory regions, potentially leading to information disclosure from kernel memory or causing system crashes resulting in denial of service.
The vulnerability requires the attacker to be within adjacent network proximity (such as the same wireless network segment) to inject the malicious WLAN frames. No authentication or user interaction is required for exploitation, making this vulnerability particularly concerning for environments with wireless connectivity.
Root Cause
The root cause of this vulnerability is improper input validation in the ieee80211_bss_info_update function. When processing WLAN scan frames, the function fails to adequately validate the size of incoming data before copying it into fixed-size buffers. This allows specially crafted frames with oversized elements to overflow the destination buffer.
The vulnerability exists because the mac80211 scanning code did not properly account for malformed or malicious frame structures that could exceed expected bounds when updating BSS (Basic Service Set) information entries.
Attack Vector
The attack vector for CVE-2022-41674 is adjacent network-based, meaning an attacker must be within wireless range of the target system. The exploitation process involves:
- The attacker positions themselves within wireless range of the vulnerable Linux system
- Malicious WLAN frames are crafted with oversized or malformed BSS information elements
- These frames are injected into the wireless medium, targeting the victim's scanning operations
- When the vulnerable kernel processes these frames, the buffer overflow occurs in ieee80211_bss_info_update
- The overflow can lead to memory corruption, information disclosure, or system crash
The vulnerability can be exploited without any authentication credentials and requires no user interaction, as wireless scanning can occur automatically on systems with active wireless interfaces.
Detection Methods for CVE-2022-41674
Indicators of Compromise
- Unexpected kernel crashes or panics related to the mac80211 or wireless subsystem
- Suspicious WLAN frames with malformed or oversized BSS information elements observed in wireless traffic captures
- Kernel log messages indicating memory corruption or out-of-bounds access in net/mac80211/scan.c
Detection Strategies
- Monitor kernel logs for crashes or warnings originating from the mac80211 wireless subsystem
- Deploy wireless intrusion detection systems to identify anomalous WLAN frame patterns
- Implement endpoint detection that monitors for kernel oops or panic events related to wireless drivers
Monitoring Recommendations
- Enable enhanced kernel logging for wireless subsystem events
- Monitor for unusual patterns in wireless network traffic using network sensors
- Deploy SentinelOne agents on Linux endpoints to detect exploitation attempts and kernel-level anomalies
How to Mitigate CVE-2022-41674
Immediate Actions Required
- Update the Linux kernel to version 5.19.16 or later immediately
- Apply distribution-specific security patches from Debian, Fedora, or your Linux vendor
- Consider disabling wireless interfaces on critical systems until patches are applied
Patch Information
Security patches addressing this vulnerability are available through multiple channels. The fix was committed to the Linux kernel wireless tree with commit ID aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d. Distribution-specific patches are available:
- Debian Security Advisory DSA-5257
- Debian LTS Announcement
- Fedora Package Updates
- Kernel Live Patch Security Notice LSN-0090-1
For tracking and additional details, see the SUSE Bugzilla Report #1203770 and the Linux Kernel Git Commit.
Workarounds
- Disable wireless interfaces using ip link set wlan0 down or equivalent commands if wireless connectivity is not essential
- Implement network segmentation to limit adjacent network access to vulnerable systems
- Use wired Ethernet connections instead of wireless where possible until patching is complete
# Disable wireless interface temporarily
sudo ip link set wlan0 down
# Blacklist wireless driver module (requires reboot)
echo "blacklist mac80211" | sudo tee /etc/modprobe.d/disable-wifi.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
