CVE-2022-41674 Overview
CVE-2022-41674 is a buffer overflow vulnerability in the Linux kernel's mac80211 wireless subsystem affecting kernels prior to 5.19.16. The flaw resides in the ieee80211_bss_info_update function in net/mac80211/scan.c. Attackers within wireless range can inject crafted WLAN frames to trigger memory corruption [CWE-787]. The vulnerability impacts mainline Linux, multiple Fedora releases (35, 36, 37), and Debian 10 and 11. Successful exploitation can lead to denial of service or potential code execution in kernel context.
Critical Impact
An adjacent network attacker can transmit malicious 802.11 frames to overflow kernel memory buffers, causing system crashes or arbitrary code execution at the kernel level without requiring authentication or user interaction.
Affected Products
- Linux Kernel versions prior to 5.19.16
- Fedora 35, 36, and 37
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2022-10-13 - Vulnerability publicly disclosed on the OSS-Security mailing list
- 2022-10-14 - CVE-2022-41674 published to NVD
- 2025-05-15 - Last updated in NVD database
Technical Details for CVE-2022-41674
Vulnerability Analysis
The vulnerability is an out-of-bounds write [CWE-787] in the ieee80211_bss_info_update function within the mac80211 Wi-Fi stack. This function processes Basic Service Set (BSS) information extracted from received beacon and probe response frames during scanning. When parsing malformed information elements in WLAN management frames, the kernel writes beyond the bounds of an allocated buffer.
Because mac80211 handles frames before any 802.11 authentication occurs, the flaw is reachable by any attacker capable of transmitting Wi-Fi frames within radio range of the target. The kernel-level execution context makes this issue particularly impactful, allowing memory corruption to affect system stability and integrity of the operating system.
Root Cause
The root cause is insufficient bounds checking when copying or parsing variable-length information elements from incoming WLAN frames into kernel-managed BSS structures. The function trusts attacker-controlled length fields in the 802.11 frame format without adequately validating them against destination buffer capacity. The upstream fix is committed in the wireless tree at commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d.
Attack Vector
Exploitation requires an adjacent network position, meaning the attacker must be within Wi-Fi range of a vulnerable host. The attacker broadcasts crafted beacon, probe response, or other management frames containing malformed information elements. Any Linux system with an active wireless interface performing scans will process these frames automatically, with no user interaction or authentication required.
The vulnerability mechanism is documented in the upstream kernel commit and related distribution advisories. See the Wireless Project Commit Update and the OpenWall OSS Security Discussion for technical details. No public proof-of-concept exploit is available at this time.
Detection Methods for CVE-2022-41674
Indicators of Compromise
- Unexpected kernel oops, panics, or call traces referencing ieee80211_bss_info_update or cfg80211 functions in dmesg output.
- Repeated wireless interface resets, driver crashes, or system instability on hosts within range of unknown access points.
- Anomalous 802.11 beacon or probe response frames with malformed or oversized information elements captured by monitor-mode sniffers.
Detection Strategies
- Audit Linux kernel versions across endpoints, servers, and IoT devices to identify hosts running kernels older than 5.19.16.
- Monitor kernel log messages for WARNING, BUG, or KASAN reports involving the mac80211 subsystem and scan handling code paths.
- Deploy wireless intrusion detection systems (WIDS) in sensitive environments to flag malformed management frames consistent with mac80211 exploitation attempts.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and create alerts on mac80211 crash signatures.
- Track wireless driver reload events and unexpected interface state transitions on Linux endpoints.
- Correlate physical-proximity events such as unrecognized SSIDs or rogue access points with host-level kernel instability alerts.
How to Mitigate CVE-2022-41674
Immediate Actions Required
- Update the Linux kernel to version 5.19.16 or later on all affected hosts.
- Apply distribution patches: Debian users should install updates per Debian Security Advisory DSA-5257, and Fedora users should consult the Fedora Package Announcement.
- Reboot systems after kernel package installation to load the patched kernel image, or use kernel live patching where supported, as described in the Kernel Live Patch Security Notice LSN-0090-1.
- Prioritize patching of laptops, mobile workstations, and any Linux device with an enabled Wi-Fi interface.
Patch Information
The vulnerability was fixed in mainline Linux 5.19.16 via commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d in the wireless tree. Backported fixes are available from Debian (linux package via DSA-5257), Fedora (kernel updates for releases 35, 36, and 37), and SUSE (tracked in Suse Bugzilla Report #1203770). Review the Linux Kernel Commit Log for the full set of related changes to scan.c.
Workarounds
- Disable the wireless interface on systems that do not require Wi-Fi connectivity using ip link set <wlan_iface> down or by unloading the wireless driver module with rmmod.
- Avoid connecting to or operating Linux hosts in untrusted wireless environments until patches are applied.
- Where feasible, blocklist or unload the affected mac80211 module on servers that have no operational need for wireless networking.
# Verify current kernel version and disable wireless until patched
uname -r
# Bring down wireless interface (replace wlan0 with your interface)
sudo ip link set wlan0 down
# Optionally unload mac80211-dependent driver (example: iwlwifi)
sudo modprobe -r iwlwifi
# Debian/Ubuntu: install patched kernel
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | cut -d- -f3-)
# Fedora: update kernel to patched release
sudo dnf update kernel kernel-core kernel-modules
# Reboot to load patched kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
