fkie_cve-2022-49479
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-03-24 19:59
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: mt76: fix tx status related use-after-free race on station removal There is a small race window where ongoing tx activity can lead to a skb getting added to the status tracking idr after that idr has already been cleaned up, which will keep the wcid linked in the status poll list. Fix this by only adding status skbs if the wcid pointer is still assigned in dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ddd426d72aca4054045a9bd3b80a4ce1d398f11fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ef7f9f894cfd0b2e471206409a529af4a26ddd55Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fcfe1b5e162bf473c1d47760962cec8523c00466Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252",
              "versionEndExcluding": "5.17.14",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2",
              "versionEndExcluding": "5.18.3",
              "versionStartIncluding": "5.18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix tx status related use-after-free race on station removal\n\nThere is a small race window where ongoing tx activity can lead to a skb\ngetting added to the status tracking idr after that idr has already been\ncleaned up, which will keep the wcid linked in the status poll list.\nFix this by only adding status skbs if the wcid pointer is still assigned\nin dev-\u003ewcid, which gets cleared early by mt76_sta_pre_rcu_remove"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mt76: se corrige la ejecuci\u00f3n de use-after-free relacionada con el estado de la tx al eliminar la estaci\u00f3n. Hay una peque\u00f1a ventana de ejecuci\u00f3n donde la actividad de tx en curso puede provocar que se agregue un skb al idr de seguimiento de estado despu\u00e9s de que ese idr ya se haya limpiado, lo que mantendr\u00e1 el wcid vinculado en la lista de sondeo de estado. Solucione esto agregando skbs de estado solo si el puntero wcid a\u00fan est\u00e1 asignado en dev-\u0026gt;wcid, que se limpia antes con mt76_sta_pre_rcu_remove"
    }
  ],
  "id": "CVE-2022-49479",
  "lastModified": "2025-03-24T19:59:14.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-26T07:01:24.153",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ddd426d72aca4054045a9bd3b80a4ce1d398f11f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ef7f9f894cfd0b2e471206409a529af4a26ddd55"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fcfe1b5e162bf473c1d47760962cec8523c00466"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.