A series of vulnerabilities have been identified in the wireless stack (mac80211) of the Linux kernel, some of which potentially allow buffer overflows and remote code execution through the sending of specially crafted packets by the access point. The fix is currently only available in patch form.
To demonstrate the possibility of carrying out an attack, examples of frames that cause an overflow have been published, as well as a utility for substituting these frames into the 802.11 wireless stack. The vulnerabilities are independent of the wireless drivers used. It is assumed that the identified problems can be used to create working exploits for a remote attack on systems.
- CVE-2022-41674 - Buffer overflow in cfg80211_update_notlisted_nontrans function allowing overwriting up to 256 bytes in the heap. The vulnerability has been manifest since the Linux 5.1 kernel and can be used for remote code execution.
- CVE-2022-42719 - Referencing an already freed area of memory (use-after-free) in MBSSID parsing code. The vulnerability has been manifesting since the Linux 5.2 kernel and can be used for remote code execution.
- CVE-2022-42720 - Referencing an already freed area of memory (use-after-free) in reference counting code in BSS (Basic Service Set) mode. The vulnerability has been manifest since the Linux 5.1 kernel and can be used for remote code execution.
- CVE-2022-42721 - BSS list corruption causing an infinite loop. The vulnerability has been manifest since the Linux 5.1 kernel and can be used to commit a denial of service.
- CVE-2022-42722 - Null pointer dereference in beacon frame protection code. The problem can be used to commit a denial of service.
Source: opennet.ru