Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-42719

CVE-2022-42719: Linux Kernel Use-After-Free Vulnerability

CVE-2022-42719 is a use-after-free flaw in the Linux kernel's mac80211 stack that enables attackers to crash systems or execute code via malicious WLAN frames. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2022-42719 Overview

CVE-2022-42719 is a use-after-free vulnerability in the mac80211 wireless networking stack of the Linux kernel. The flaw exists in the code path that parses multi-BSSID elements from WLAN management frames. Linux kernel versions 5.2 through 5.19.x before 5.19.16 are affected. An attacker capable of injecting crafted WLAN frames within radio range can trigger memory corruption, crash the kernel, and potentially execute arbitrary code in kernel context. The vulnerability is classified under [CWE-416] Use After Free and impacts a wide range of distributions including Debian, Fedora, and other downstream Linux vendors.

Critical Impact

Adjacent-network attackers can crash affected Linux systems or potentially achieve kernel-level code execution through malicious 802.11 beacon or probe response frames.

Affected Products

  • Linux kernel versions 5.2 through 5.19.x before 5.19.16
  • Debian Linux 10.0 and 11.0
  • Fedora 35, 36, and 37

Discovery Timeline

  • 2022-10-13 - CVE-2022-42719 published to NVD
  • 2025-05-15 - Last updated in NVD database

Technical Details for CVE-2022-42719

Vulnerability Analysis

The vulnerability resides in the Linux kernel mac80211 subsystem, which implements the soft MAC layer for SoftMAC wireless drivers. When processing a beacon or probe response frame containing a multi-BSSID information element, the parser frees memory that other code paths later dereference. The result is a classic use-after-free condition that can corrupt kernel heap state.

Multi-BSSID is an 802.11 mechanism allowing a single physical access point to advertise multiple virtual BSSes within one beacon. Parsing this element involves nested element processing and dynamically allocated buffers, creating conditions where lifetime tracking errors lead to dangling pointers.

Because the affected code path executes in the kernel during frame reception, exploitation does not require authentication or user interaction. The attacker only needs to be within wireless range of a vulnerable station and able to transmit crafted 802.11 frames.

Root Cause

The root cause is improper memory lifetime management in the multi-BSSID element parser introduced in kernel 5.2. The fix in commit ff05d4b45dd89b922578dac497dcabf57cf771c6 restructures how the parser allocates and releases element data, ensuring that downstream consumers do not reference freed buffers. See the Linux Wireless Commit for the upstream fix.

Attack Vector

An attacker within wireless range transmits a malicious beacon or probe response frame carrying a malformed multi-BSSID element. When a vulnerable Linux station scans for networks or otherwise processes the frame, the kernel parses the crafted element and triggers the use-after-free. Depending on heap layout and timing, the result ranges from a kernel panic to controlled memory corruption suitable for privilege escalation or remote code execution within kernel context. No code example is provided here because no verified public proof-of-concept is referenced in the advisory data; consult the Openwall OSS Security Update for additional technical context.

Detection Methods for CVE-2022-42719

Indicators of Compromise

  • Unexpected kernel oops or panic messages referencing mac80211, cfg80211, or ieee80211_bss_info_update functions in dmesg or journalctl -k output.
  • Wireless interfaces repeatedly resetting or disconnecting during scan operations in proximity to unknown access points.
  • Anomalous 802.11 beacon frames captured via tcpdump or airodump-ng containing malformed multi-BSSID elements (element ID 71).

Detection Strategies

  • Inventory installed kernel versions across Linux endpoints and flag any system running a 5.2 through 5.19.15 kernel as vulnerable.
  • Monitor kernel crash telemetry for signatures involving the mac80211 stack during wireless scan operations.
  • Deploy wireless intrusion detection sensors that can flag beacons containing oversized or malformed multi-BSSID elements.

Monitoring Recommendations

  • Forward kernel logs from Linux endpoints to a centralized logging or SIEM platform and alert on mac80211-related crash signatures.
  • Track package version state for linux-image-*, kernel-core, and equivalent packages across the fleet to confirm patch deployment.
  • Audit physical and RF perimeters in sensitive locations where adjacent-network attacks against laptops or IoT Linux devices are plausible.

How to Mitigate CVE-2022-42719

Immediate Actions Required

  • Upgrade Linux kernels to 5.19.16 or later, or apply the distribution-specific patched kernel package from your vendor.
  • Reboot systems after kernel package installation to activate the patched image; verify with uname -r.
  • For systems that cannot be patched immediately, disable wireless interfaces in environments where adjacent-network exposure is unacceptable.

Patch Information

The upstream fix is committed as ff05d4b45dd89b922578dac497dcabf57cf771c6 in the wireless tree and shipped in Linux 5.19.16. Distribution patches are available via the Debian Security Advisory DSA-5257, the Debian LTS Announcement, and the Fedora package updates listed in the Fedora Package Announcement. NetApp customers should review the NetApp Security Advisory. Live patching is documented in the Packet Storm Security Notice.

Workarounds

  • Unload the mac80211 and corresponding wireless driver modules on systems that do not require Wi-Fi connectivity: rmmod the relevant driver and blacklist it in /etc/modprobe.d/.
  • Restrict wireless scanning by keeping affected laptops and devices in trusted RF environments until patched.
  • Use a wired connection in place of Wi-Fi for high-value Linux hosts that cannot be patched promptly.
bash
# Verify kernel version and update on Debian/Ubuntu
uname -r
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | sed 's/.*-//')
sudo reboot

# Verify kernel version and update on Fedora
uname -r
sudo dnf update kernel kernel-core kernel-modules
sudo reboot

# Temporary mitigation: blacklist the mac80211 module if Wi-Fi is unused
echo "blacklist mac80211" | sudo tee /etc/modprobe.d/disable-mac80211.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne