CVE-2022-49533 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
ath11k: Change max no of active probe SSID and BSSID to fw capability
The maximum number of SSIDs in a for active probe requests is currently reported as 16 (WLAN_SCAN_PARAMS_MAX_SSID) when registering the driver. The scan_req_params structure only has the capacity to hold 10 SSIDs. This leads to a buffer overflow which can be triggered from wpa_supplicant in userspace. When copying the SSIDs into the scan_req_params structure in the ath11k_mac_op_hw_scan route, it can overwrite the extraie pointer.
Firmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe request will be sent, so totally 64 probe requests supported. So set both max ssid and bssid to 16 and 4 respectively. Remove the redundant macros of ssid and bssid.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability CVE-2022-49533 affects the Linux kernel's ath11k wireless driver implementation, specifically addressing a buffer overflow condition that arises during active probe request processing. This issue stems from a mismatch between the reported maximum number of SSIDs for active scanning and the actual capacity of the underlying scan request structure. The flaw exists in the wireless subsystem where the driver incorrectly advertises support for 16 SSIDs through the WLAN_SCAN_PARAMS_MAX_SSID constant during driver registration, while the internal scan_req_params structure can only accommodate 10 SSIDs. This discrepancy creates a scenario where user-space applications like wpa_supplicant can trigger a buffer overflow condition when attempting to submit more than the supported number of SSIDs for scanning operations.
The technical implementation flaw occurs within the ath11k_mac_op_hw_scan function where SSIDs are copied from user-space into the scan_req_params structure. When more than 10 SSIDs are provided, the copying operation extends beyond the allocated buffer boundaries, potentially overwriting adjacent memory locations including the extraie pointer which is critical for maintaining proper data structure integrity. This buffer overflow represents a classic CWE-121 buffer overflow vulnerability where insufficient bounds checking allows memory corruption. The vulnerability is particularly concerning as it can be exploited from user-space applications without requiring privileged access, making it a significant security risk in wireless networking environments.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable more sophisticated attack vectors. Attackers could leverage this buffer overflow to cause denial of service conditions by crashing the wireless subsystem or potentially executing arbitrary code if proper memory layout protections are not in place. The vulnerability affects wireless devices using the ath11k driver, particularly those based on Qualcomm IPQ8074 hardware platforms, where the firmware actually supports up to 16 SSIDs with 4 BSSIDs per SSID combination, resulting in a maximum of 64 probe requests. The mismatch between the driver's reported capabilities and actual implementation creates a path for exploitation that aligns with ATT&CK technique T1059.007 for command and scripting interpreter execution through buffer overflow exploitation.
The fix implemented addresses the root cause by aligning the driver's reported maximum SSID and BSSID values with the firmware's actual capabilities. The solution sets both maximum SSID and BSSID values to 16 and 4 respectively, ensuring that the driver's advertised limits match the underlying hardware support. This change eliminates the buffer overflow condition by removing the redundant macros and ensuring proper bounds checking during SSID copying operations. The mitigation approach follows security best practices by implementing proper input validation and buffer size management. The resolution also includes removing outdated macro definitions that contributed to the confusion between reported and actual capabilities, thereby reducing the attack surface and improving overall system stability. This fix demonstrates the importance of maintaining consistency between driver interfaces and underlying hardware capabilities to prevent security vulnerabilities in wireless networking stacks.