CVE-2022-49479 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mt76: fix tx status related use-after-free race on station removal
There is a small race window where ongoing tx activity can lead to a skb getting added to the status tracking idr after that idr has already been cleaned up, which will keep the wcid linked in the status poll list. Fix this by only adding status skbs if the wcid pointer is still assigned in dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2025
The vulnerability CVE-2022-49479 represents a critical use-after-free race condition within the mt76 wireless driver component of the Linux kernel. This flaw specifically affects MediaTek MT76-based wireless network adapters and occurs during the station removal process. The issue stems from a timing window where concurrent transmission activities can trigger memory management inconsistencies that compromise system stability and potentially enable privilege escalation attacks. The vulnerability impacts the wireless subsystem's ability to properly handle station cleanup operations, creating a scenario where memory references become invalid while still being accessed by ongoing transmission processes.
The technical root cause involves improper synchronization between the wireless driver's transmission status tracking mechanism and the station removal procedure. When a wireless station is being removed, the driver maintains an internal identifier registry (idr) that tracks transmission status information for pending packets. During this cleanup phase, the wcid (wireless client identifier) pointer gets cleared early by the mt76_sta_pre_rcu_remove function, but there exists a brief window where ongoing transmission activities can still attempt to add packets to the status tracking system. This race condition allows packets to be enqueued into a status poll list even after the associated wireless client context has been partially or fully deallocated, leading to dangling pointer references and potential memory corruption scenarios.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable remote code execution or privilege escalation within the kernel space. Attackers could exploit this race condition by manipulating wireless station removal sequences to trigger the use-after-free condition, which might result in kernel memory corruption, system crashes, or in more severe cases, arbitrary code execution with kernel privileges. The vulnerability affects systems running Linux kernels with MediaTek MT76 wireless drivers, particularly those supporting wireless access points or stations that frequently establish and tear down wireless connections. This includes enterprise wireless infrastructure, consumer routers, and embedded devices that rely on MediaTek wireless chipsets for network connectivity.
Mitigation strategies for CVE-2022-49479 focus on implementing proper synchronization mechanisms and ensuring that transmission status tracking only occurs when valid client contexts remain. The fix introduced in the kernel resolves the issue by adding a validation check that verifies the wcid pointer remains assigned in dev->wcid before adding status skbs to the tracking system. This approach aligns with common security practices for preventing use-after-free vulnerabilities and follows the principle of defensive programming. Organizations should prioritize applying kernel updates that include the specific patch addressing this vulnerability, as the fix represents a fundamental correction to the driver's memory management behavior during concurrent operations. Security teams should also monitor wireless infrastructure for signs of exploitation attempts and maintain updated threat intelligence regarding similar race condition vulnerabilities in network driver components. The vulnerability demonstrates the importance of proper synchronization in concurrent systems and highlights how seemingly minor timing issues in kernel drivers can lead to significant security implications. This issue relates to CWE-416, which addresses use-after-free conditions, and could potentially map to ATT&CK techniques involving privilege escalation through kernel exploits.