CVE-2022-48876 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix initialization of rx->link and rx->link_sta
There are some codepaths that do not initialize rx->link_sta properly. This causes a crash in places which assume that rx->link_sta is valid if rx->sta is valid. One known instance is triggered by __ieee80211_rx_h_amsdu being called from fast-rx. It results in a crash like this one:
BUG: kernel NULL pointer dereference, address: 00000000000000a8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3 Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014 RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]
Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 83 84 d0 a8 00 00 00 01 41 8b 86 c0 11 00 00 8d 50 fd 83 fa 01 RSP: 0018:ffff999040803b10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900 R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000 FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0 Call Trace: __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]
? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
? __local_bh_enable_ip+0x3b/0xa0 ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
? prepare_transfer+0x109/0x1a0 [xhci_hcd]
ieee80211_rx_list+0xa80/0xda0 [mac80211]
mt76_rx_complete+0x207/0x2e0 [mt76]
mt76_rx_poll_complete+0x357/0x5a0 [mt76]
mt76u_rx_worker+0x4f5/0x600 [mt76_usb]
? mt76_get_min_avg_rssi+0x140/0x140 [mt76]
__mt76_worker_fn+0x50/0x80 [mt76]
kthread+0xed/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30
Since the initialization of rx->link and rx->link_sta is rather convoluted and duplicated in many places, clean it up by using a helper function to set it.
[remove unnecessary rx->sta->sta.mlo check]
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability described in CVE-2022-48876 resides within the linux kernel's mac80211 subsystem which handles wireless networking protocols. This issue specifically affects the initialization of rx->link and rx->link_sta structures during wireless packet processing. The flaw manifests when certain code paths fail to properly initialize the rx->link_sta field, creating a condition where the system assumes rx->link_sta is valid when rx->sta is valid, leading to a kernel NULL pointer dereference. The vulnerability is particularly dangerous because it can cause system crashes during normal wireless operations, specifically when the __ieee80211_rx_h_amsdu function is invoked from fast-rx processing. The crash occurs at address 0x00000000000000a8, which corresponds to a memory location that should contain a valid pointer but is instead NULL, triggering the kernel's page fault handler and resulting in an immediate system crash. This type of vulnerability falls under the CWE-476 category of NULL Pointer Dereference, which represents a fundamental security flaw where the system fails to validate pointer values before dereferencing them.
The technical implementation of this vulnerability stems from the complex and duplicated initialization logic within the mac80211 wireless subsystem. The rx->link and rx->link_sta structures are used to maintain information about wireless link states and station associations, but the code paths that initialize these structures are inconsistent and error-prone. When rx->link_sta is not properly initialized, subsequent code that assumes its validity can trigger the NULL pointer dereference. The specific crash trace shows the execution flow passing through ieee80211_deliver_skb, which attempts to access the rx->link_sta structure at offset 0xa8, causing the kernel to panic. This vulnerability directly impacts the kernel's wireless subsystem reliability and can be exploited by malicious actors to cause denial of service attacks against wireless network functionality. The ATT&CK framework categorizes this under T1499.004 (Endpoint Denial of Service) as it targets kernel-level resources to cause system instability and service disruption.
The operational impact of this vulnerability extends beyond simple system crashes, as it can severely disrupt wireless network operations and potentially provide attackers with opportunities for more sophisticated attacks. When the kernel crashes due to this NULL pointer dereference, wireless connectivity is lost until the system is rebooted, which can be particularly problematic in embedded devices or systems where wireless connectivity is critical for operation. The vulnerability affects systems using the mt76 driver for MediaTek wireless chips, but could potentially impact other wireless drivers that utilize similar mac80211 code paths. The crash pattern indicates that this issue occurs during fast-rx processing, which is a performance optimization feature that processes wireless frames more efficiently, making the vulnerability particularly concerning as it impacts optimized code paths. Organizations using wireless networking equipment based on Linux kernels with affected mac80211 implementations face significant risk of service disruption and potential system compromise.
Mitigation strategies for this vulnerability should focus on applying the official kernel patches that address the improper initialization of rx->link and rx->link_sta structures. The fix involves implementing a helper function to properly initialize these structures, reducing code duplication and ensuring consistent initialization across all code paths. System administrators should prioritize updating their kernel versions to include the patched mac80211 implementation, particularly in environments where wireless network reliability is critical. Additionally, implementing monitoring solutions to detect kernel crashes and system instability can help identify potential exploitation attempts. Network administrators should also consider implementing network segmentation and access controls to limit the potential impact of any successful exploitation attempts. The vulnerability demonstrates the importance of proper initialization patterns in kernel code and highlights the need for comprehensive testing of wireless subsystems, especially in embedded devices where wireless functionality is essential for proper operation. Organizations should conduct vulnerability assessments to identify systems running affected kernel versions and ensure that all wireless network infrastructure is updated with the appropriate security patches.