CVE-2022-49290 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix potential double free on mesh join
While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") fixed a memory leak on mesh leave / teardown it introduced a potential memory corruption caused by a double free when rejoining the mesh:
ieee80211_leave_mesh() -> kfree(sdata->u.mesh.ie); ... ieee80211_join_mesh() -> copy_mesh_setup() -> old_ie = ifmsh->ie; -> kfree(old_ie);
This double free / kernel panics can be reproduced by using wpa_supplicant with an encrypted mesh (if set up without encryption via "iw" then ifmsh->ie is always NULL, which avoids this issue). And then calling:
$ iw dev mesh0 mesh leave $ iw dev mesh0 mesh join my-mesh
Note that typically these commands are not used / working when using wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids the memory corruption, too.
The issue was first observed in an application which was not using wpa_supplicant but "Senf" instead, which implements its own calls to nl80211.
Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh join function and leaving it solely up to the mesh leave to free the mesh IE.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/23/2025
The vulnerability described in CVE-2022-49290 represents a critical memory corruption issue within the Linux kernel's mac80211 subsystem, specifically affecting mesh network operations. This flaw manifests as a potential double free condition that can lead to kernel panics and system instability. The vulnerability was introduced during a previous fix for a memory leak in mesh leave operations, demonstrating how security patches can inadvertently create new vulnerabilities through complex interactions within kernel subsystems. The issue affects wireless mesh networks that utilize the IEEE 802.11s standard, where devices communicate in a mesh topology rather than traditional infrastructure networks.
The technical root cause involves improper memory management during mesh network rejoin operations, specifically in the interaction between the ieee80211_leave_mesh() and ieee80211_join_mesh() functions. When a mesh network interface leaves a mesh, the function ieee80211_leave_mesh() properly frees the mesh information elements (IE) data through kfree(sdata->u.mesh.ie) call. However, during subsequent mesh join operations, the ieee80211_join_mesh() function calls copy_mesh_setup() which attempts to free the same memory location again through kfree(old_ie) when old_ie points to ifmsh->ie. This creates a classic double free scenario where the same memory region is deallocated twice, leading to memory corruption that can result in kernel panics or system crashes. The vulnerability is particularly significant because it operates at the kernel level where such corruption can compromise system integrity and stability.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation or denial of service attacks within wireless mesh network environments. Attackers could exploit this vulnerability by repeatedly leaving and rejoining mesh networks through command line tools like iw, creating the conditions for memory corruption that would cause kernel panics. The vulnerability is particularly concerning in environments where mesh networks are used for critical infrastructure communications, as it could lead to service disruption or unauthorized access to network resources. The fact that the issue is triggered specifically when using wpa_supplicant with encrypted mesh networks, but not when using unencrypted networks, suggests that the encryption layer may be involved in the memory management sequence that leads to the double free condition. This vulnerability affects the broader Linux kernel community and has implications for wireless network security, as it represents a failure in proper memory lifecycle management within the mac80211 subsystem that handles wireless network operations.
The mitigation strategy for this vulnerability involves modifying the mesh join function to remove the kfree() operation on mesh IE data, allowing only the mesh leave function to handle memory deallocation. This approach follows the principle of single responsibility for memory management operations and prevents the double free condition by ensuring that memory is freed exactly once during the mesh network lifecycle. The fix aligns with established security practices for kernel memory management and represents a defensive programming approach that prevents the specific memory corruption scenario. Organizations should prioritize updating their kernel versions to include this fix, particularly those operating wireless mesh networks with wpa_supplicant or other applications that interact with mesh network interfaces. The vulnerability demonstrates the importance of thorough testing of security patches and the potential for unintended consequences when modifying memory management operations in kernel subsystems. This fix specifically addresses the CWE-415: Double Free vulnerability category, which is a well-known class of memory corruption issues that can lead to arbitrary code execution or system instability. The resolution also aligns with ATT&CK technique T1059.007 for kernel-level exploitation and represents a critical patch for maintaining wireless network security in enterprise and infrastructure environments.