CVE-2022-49876 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit()
When device is running and the interface status is changed, the gpf issue is triggered. The problem triggering process is as follows: Thread A: Thread B ieee80211_runtime_change_iftype() process_one_work() ... ... ieee80211_do_stop() ... ... ... sdata->bss = NULL ... ... ieee80211_subif_start_xmit() ieee80211_multicast_to_unicast //!sdata->bss->multicast_to_unicast cause gpf issue
When the interface status is changed, the sending queue continues to send packets. After the bss is set to NULL, the bss is accessed. As a result, this causes a general-protection-fault issue.
The following is the stack information: general protection fault, probably for non-canonical address 0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f]
Workqueue: mld mld_ifc_work RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310 Call Trace:
dev_hard_start_xmit+0x1be/0x990 __dev_queue_xmit+0x2c9a/0x3b60 ip6_finish_output2+0xf92/0x1520 ip6_finish_output+0x6af/0x11e0 ip6_output+0x1ed/0x540 mld_sendpack+0xa09/0xe70 mld_ifc_work+0x71c/0xdb0 process_one_work+0x9bf/0x1710 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2022-49876 resides within the linux kernel's mac80211 subsystem, specifically affecting wireless network interface handling during interface type changes. This issue manifests as a general protection fault occurring in the ieee80211_subif_start_xmit() function, which is triggered when a wireless interface transitions from one operational state to another while packets are being transmitted through the sending queue. The flaw represents a classic race condition scenario where concurrent threads access shared data structures without proper synchronization mechanisms, leading to memory access violations that compromise system stability. The vulnerability operates under the context of wireless networking operations where interface type changes are common during network reconfiguration or device management activities.
The technical root cause of this vulnerability stems from improper handling of the bss (basic service set) data structure during interface state transitions. When ieee80211_runtime_change_iftype() is invoked, it calls ieee80211_do_stop() which sets sdata->bss to NULL, indicating that the basic service set context is no longer valid. However, concurrent execution paths in Thread B can still attempt to access this now-null bss pointer within the ieee80211_subif_start_xmit() function, specifically in the ieee80211_multicast_to_unicast() call chain. This results in a null pointer dereference that triggers a general protection fault, as evidenced by the kernel stack trace showing the fault occurring at the KASAN null-ptr-deref location. The memory access violation occurs at address 0x0000000000000178 to 0x000000000000017f, indicating a direct access to a null pointer within the bss structure's multicast_to_unicast field.
The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to complete system instability and potential denial of service conditions in wireless networking environments. Attackers could potentially exploit this race condition by rapidly changing interface types while maintaining active network traffic, causing repeated kernel panics that would disrupt wireless connectivity for all users of the affected system. The vulnerability affects systems running kernel versions where the mac80211 subsystem handles wireless interface management, particularly impacting devices that frequently change wireless interface configurations or those operating in dynamic network environments where interface status changes are common. This flaw aligns with CWE-362, which identifies race conditions as a significant security concern, and can be categorized under ATT&CK technique T1499.004 for network disruption attacks that leverage kernel-level vulnerabilities.
Mitigation strategies for CVE-2022-49876 require immediate kernel updates to patched versions that properly synchronize access to the bss data structure during interface state transitions. System administrators should prioritize applying security patches from their respective kernel vendors, as the vulnerability exists at the core networking subsystem level. Additionally, implementing proper locking mechanisms and ensuring that all references to the bss structure are validated before access would prevent this race condition from occurring. Network monitoring solutions should be enhanced to detect unusual interface state changes that might trigger this vulnerability, while system administrators should consider implementing redundant wireless interfaces or failover mechanisms to maintain network availability during patch deployment. The fix implemented in the kernel addresses the synchronization issue by ensuring that packet transmission is properly halted before the bss structure is set to NULL, preventing the null pointer dereference that caused the general protection fault.