CVE-2022-49129 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: fix crash when startup fails.
If the nic fails to start, it is possible that the reset_work has already been scheduled. Ensure the work item is canceled so we do not have use-after-free crash in case cleanup is called before the work item is executed.
This fixes crash on my x86_64 apu2 when mt7921k radio fails to work. Radio still fails, but OS does not crash.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/06/2025
The vulnerability identified as CVE-2022-49129 represents a critical use-after-free condition within the Linux kernel's mt76 wireless driver subsystem, specifically affecting the mt7921 chipset implementation. This flaw manifests during the initialization phase of wireless network interfaces, where the kernel fails to properly handle cleanup operations when hardware initialization encounters failures. The issue stems from improper management of work queue items that are scheduled during the device startup process, creating a scenario where memory references become invalid before being properly released.
The technical root cause of this vulnerability lies in the inadequate synchronization and cleanup procedures within the driver's error handling mechanism. When the mt7921 wireless radio fails to initialize correctly, the reset_work item - a kernel work queue structure responsible for handling device reset operations - may already be scheduled for execution. However, the driver code fails to cancel this work item before proceeding with cleanup operations, leading to a situation where the work handler attempts to access memory that has already been freed or reallocated. This classic use-after-free condition creates a potential crash scenario that can bring down the entire operating system.
This vulnerability operates at the kernel level within the Linux wireless subsystem, specifically impacting the mt76 driver framework that manages various MediaTek wireless chipsets including the mt7921 family. The flaw demonstrates characteristics consistent with CWE-416, which describes the use of freed memory condition, and aligns with ATT&CK technique T1059.003 for command and scripting interpreter usage in kernel contexts. The vulnerability affects systems running Linux kernels with the mt76 driver stack, particularly those utilizing hardware platforms such as the x86_64 apu2 mentioned in the fix description, where MediaTek mt7921 wireless radios are deployed.
The operational impact of this vulnerability extends beyond simple system instability, as it represents a potential attack surface for privilege escalation or denial-of-service scenarios. An attacker who can trigger the specific conditions leading to this failure - such as manipulating hardware initialization sequences or creating race conditions - could potentially exploit this flaw to cause system crashes or potentially execute arbitrary code within kernel space. The fix implemented addresses this by ensuring proper work item cancellation before cleanup operations begin, thereby preventing the invalid memory access that would otherwise occur.
Mitigation strategies for this vulnerability should focus on applying the kernel patch that implements proper work queue item cancellation during error handling scenarios. System administrators should prioritize updating their Linux kernel installations to versions containing the fix, particularly in environments where MediaTek mt7921 wireless hardware is deployed. Additional monitoring should be implemented to detect unusual patterns in wireless driver initialization failures that might indicate exploitation attempts. The fix demonstrates proper defensive programming practices by ensuring proper resource management and cleanup ordering, which aligns with secure coding guidelines for kernel development and helps prevent similar vulnerabilities in other driver components that may exhibit similar race condition patterns during error handling scenarios.