CVE-2022-49022 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
Fix possible out-of-bound access in ieee80211_get_rate_duration routine as reported by the following UBSAN report:
UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 index 15 is out of range for type 'u16 [12]'
CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
Call Trace: show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x43 __ubsan_handle_out_of_bounds.cold+0x42/0x47 ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
process_one_work+0x225/0x400 worker_thread+0x50/0x3e0 ? process_one_work+0x400/0x400 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability identified as CVE-2022-49022 represents a critical out-of-bounds memory access flaw within the Linux kernel's mac80211 subsystem, specifically affecting wireless network drivers. This issue manifests in the ieee80211_get_rate_duration function located in net/mac80211/airtime.c at line 455, where an array index access exceeds the allocated bounds. The flaw occurs during wireless frame processing when the kernel attempts to calculate airtime metrics for transmitted or received frames, particularly impacting USB-based wireless network adapters such as those using the mt76x02 and mt76usb driver modules.
The technical root cause stems from improper bounds checking within the wireless rate duration calculation routine. According to the UBSAN report, the system attempts to access index 15 in a u16 array of size 12, creating a clear array-index-out-of-bounds condition. This vulnerability demonstrates a classic CWE-129 weakness, where insufficient validation of array indices allows unauthorized memory access patterns. The flaw specifically affects the airtime calculation logic that determines how long wireless frames occupy transmission channels, which is crucial for proper medium access control and quality of service implementations in IEEE 802.11 wireless networks.
Operational impact of this vulnerability extends beyond simple kernel panics or crashes, as it represents a potential vector for privilege escalation or denial-of-service attacks within wireless network environments. When exploited, the out-of-bounds access can corrupt kernel memory structures, leading to system instability, unexpected termination of wireless services, or potentially allowing attackers to execute arbitrary code with kernel privileges. The vulnerability affects systems using wireless USB adapters with mt76x02 and mt76usb driver stacks, making it particularly relevant for embedded systems, IoT devices, and desktop environments relying on such hardware. According to ATT&CK framework category T1068, this vulnerability could enable privilege escalation through kernel exploitation techniques, while T1499 covers potential denial-of-service impacts.
The fix implemented addresses the core issue by ensuring proper bounds validation before array access operations within the ieee80211_get_rate_duration function. This remediation aligns with standard secure coding practices that require input validation and bounds checking, particularly in kernel space where memory corruption can lead to complete system compromise. The patch likely involves adding boundary checks to ensure that rate index values do not exceed the maximum allowed array size of 12 elements. Security practitioners should prioritize deployment of kernel updates containing this fix, as the vulnerability exists in kernel versions prior to the patched release and affects wireless network functionality across multiple hardware platforms. The mitigation strategy should include comprehensive testing of wireless network functionality after patch deployment to ensure no regressions in wireless performance or driver compatibility occur.