CVE-2022-49754 in Linuxinfo

Summary

by MITRE • 03/27/2025

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix a buffer overflow in mgmt_mesh_add()

Smatch Warning: net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy() 'mesh_tx->param' too small (48 vs 50)

Analysis:

'mesh_tx->param' is array of size 48. This is the destination. u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.

But in the caller 'mesh_send' we reject only when len > 50. len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/06/2025

The vulnerability CVE-2022-49754 represents a critical buffer overflow condition within the Linux kernel's Bluetooth subsystem, specifically in the mgmt_mesh_add() function located in net/bluetooth/mgmt_util.c. This flaw arises from a mismatch between the allocated buffer size and the data being copied, creating an exploitable condition that could allow malicious actors to execute arbitrary code or cause system instability. The issue manifests as a classic buffer overflow where the destination buffer is insufficiently sized to accommodate the source data, violating fundamental memory safety principles that are critical for kernel-level security.

The technical implementation of this vulnerability stems from improper bounds checking in the Bluetooth management interface. The function mgmt_mesh_add() attempts to copy data into mesh_tx->param which is defined as an array of exactly 48 bytes, while the source data can potentially exceed this limit. The caller function mesh_send performs validation but only rejects cases where the length exceeds 50 bytes, calculated as MGMT_MESH_SEND_SIZE (19 bytes) plus 31 additional bytes. This discrepancy creates a 2-byte gap between the validation threshold and the actual buffer capacity, allowing 2 bytes of data to overflow into adjacent memory locations. This type of vulnerability is classified as CWE-121 Stack-based Buffer Overflow, representing a well-known and dangerous category of memory corruption flaws.

The operational impact of this vulnerability extends beyond simple denial of service, potentially enabling remote code execution within the kernel context. Attackers could exploit this condition by crafting malicious Bluetooth mesh network packets that trigger the overflow during the mgmt_mesh_add() processing. The consequences include system crashes, privilege escalation, and potential complete system compromise, as the kernel's Bluetooth subsystem operates with the highest privilege levels. This vulnerability directly impacts the ATT&CK technique T1068, which covers Exploitation for Privilege Escalation, and T1566, which encompasses Phishing with Malicious Attachments or Links, particularly in environments where Bluetooth mesh networks are actively utilized.

Mitigation strategies for CVE-2022-49754 require immediate patch application from kernel vendors, as the vulnerability exists in the core kernel networking stack. System administrators should prioritize updating their kernel versions to include the fixed implementation that properly validates buffer sizes before memory operations. Additionally, network segmentation and access controls should be implemented to limit Bluetooth mesh network exposure, reducing the attack surface. The fix involves correcting the buffer size allocation to match the actual data requirements or implementing stricter validation that prevents data from exceeding the allocated buffer boundaries. Organizations should also implement monitoring for anomalous Bluetooth mesh network activity and maintain up-to-date security patches for all kernel components to prevent similar buffer overflow conditions from occurring in other subsystems.

Responsible

Linux

Reservation

03/27/2025

Disclosure

03/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00197

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!