CVE-2022-42720 in Linux
Summary
by MITRE • 10/14/2022
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.14 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2022-42720 represents a critical security flaw within the Linux kernel's mac80211 wireless subsystem that affects kernel versions 5.1 through 5.19.14. This issue stems from improper reference counting mechanisms when handling multiple Basic Service Sets (BSS) within the wireless networking stack, creating a dangerous condition that allows local attackers with the ability to inject wireless frames to exploit use-after-free vulnerabilities. The mac80211 subsystem serves as the core wireless networking framework in Linux, managing IEEE 802.11 wireless network interfaces and their associated BSS configurations, making this vulnerability particularly concerning for wireless network security.
The technical implementation of this vulnerability involves race conditions and improper memory management during the handling of multiple BSS configurations within the wireless driver stack. When multiple BSS contexts are present, the kernel's reference counting mechanism fails to properly track when wireless network objects are freed from memory while still being referenced by other components. This occurs specifically during the processing of wireless frames and BSS switching operations, where the kernel's memory management does not adequately synchronize access to shared wireless network state information. The flaw manifests when an attacker can inject specially crafted wireless frames that trigger the kernel to prematurely free memory structures while other parts of the system may still attempt to access them, resulting in use-after-free conditions that can be leveraged for arbitrary code execution.
The operational impact of CVE-2022-42720 extends beyond simple privilege escalation as it enables local attackers to potentially execute code with kernel-level privileges, effectively compromising the entire system. The vulnerability requires only the ability to inject wireless frames, which can be achieved through various means including physical proximity to wireless networks or by exploiting other wireless vulnerabilities. This makes the attack surface particularly broad since wireless frame injection is a common capability in wireless penetration testing and can be achieved through readily available tools. The use-after-free conditions created by this vulnerability can be exploited through memory corruption techniques that allow attackers to overwrite critical kernel data structures or execute malicious code within kernel space, potentially leading to complete system compromise and persistent backdoor access.
Mitigation strategies for CVE-2022-42720 primarily involve upgrading to kernel versions 5.19.15 or later, where the reference counting bugs have been properly addressed through enhanced synchronization mechanisms and improved memory management within the mac80211 subsystem. Organizations should prioritize kernel updates as the primary defense mechanism since this vulnerability represents a fundamental flaw in the wireless networking stack's memory management. Additionally, network administrators should implement proper wireless network segmentation and monitoring to detect anomalous wireless frame injection patterns that might indicate exploitation attempts. The vulnerability aligns with CWE-415 which describes improper handling of reference counts leading to double-free or use-after-free conditions, and maps to ATT&CK technique T1059.007 for execution through kernel modules, highlighting the severity of potential exploitation pathways. System hardening measures including disabling unnecessary wireless interfaces and implementing strict wireless network access controls can provide additional defense-in-depth layers while the primary kernel upgrade addresses the root cause of the vulnerability.