CVE-2022-49112

MEDIUM EPSS 13.1%
Published Feb 26, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: mt76: fix monitor mode crash with sdio driver mt7921s driver may receive frames with fragment buffers. If there is a CTS packet received in monitor mode, the payload is 10 bytes only and need 6 bytes header padding after RXD buffer. However, only RXD in the first linear buffer, if we pull buffer size RXD-size+6 bytes with skb_pull(), that would trigger "BUG_ON(skb->len < skb->data_len)" in __skb_pull(). To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to 256 to make sure all MCU operation in linear buffer. [ 52.007562] kernel BUG at include/linux/skbuff.h:2313! [ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 52.007987] pc : skb_pull+0x48/0x4c [ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common] [ 52.008361] Call trace: [ 52.008377] skb_pull+0x48/0x4c [ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c] [ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917] [ 52.008449] kthread+0x148/0x3ac [ 52.008466] ret_from_fork+0x10/0x30

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
13.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥4.16  –  <5.15.34
linuxlinux_kernel*≥5.16  –  <5.16.20
linuxlinux_kernel*≥5.17  –  <5.17.3

References 4

  • git.kernel.org https://git.kernel.org/stable/c/123bc712b1de0805f9d683687e17b1ec2aba0b68
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/13946d5a68efd11dd6af2f6ef4c908f6b00158a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/95e2af01669c7a3cb7a933cefa06361f9db15059
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c37b4cab3d97ef64b206fca4d9daabd9aff7356e
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/123bc712b1de0805f9d683687e17b1ec2aba0b68
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/13946d5a68efd11dd6af2f6ef4c908f6b00158a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/95e2af01669c7a3cb7a933cefa06361f9db15059
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c37b4cab3d97ef64b206fca4d9daabd9aff7356e
    Patch