CVE-2022-50678 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: fix invalid address access when enabling SCAN log level

The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid.

We replace reqs index with ri to fix the issue.

[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ 136.737365] Mem abort info:
[ 136.740172] ESR = 0x96000004
[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
[ 136.749294] SET = 0, FnV = 0
[ 136.752481] EA = 0, S1PTW = 0
[ 136.755635] Data abort info:
[ 136.758514] ISV = 0, ISS = 0x00000004
[ 136.762487] CM = 0, WnR = 0
[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
[ 136.772265] [0000000000000000] pgd=0000000000000000
[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
[ 136.828162] sp : ffff00000e9a3880
[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
[ 136.911146] Call trace:
[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
[ 136.937298] genl_rcv_msg+0x358/0x3f4
[ 136.940960] netlink_rcv_skb+0xb4/0x118
[ 136.944795] genl_rcv+0x34/0x48
[ 136.947935] netlink_unicast+0x264/0x300
[ 136.951856] netlink_sendmsg+0x2e4/0x33c
[ 136.955781] __sys_sendto+0x120/0x19c

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability CVE-2022-50678 affects the Linux kernel's brcmfmac driver, which manages Broadcom wireless network adapters. This issue arises from improper handling of array indexing during wireless scan logging operations, specifically when random MAC addresses are configured. The flaw manifests as an invalid memory access when attempting to print the request ID of a scheduled scan operation, leading to a kernel oops and potential system instability. The root cause lies in the reuse of a loop counter variable 'i' for both iteration and array indexing purposes, creating a scenario where the index becomes invalid after MAC address randomization operations.

The technical implementation of this vulnerability demonstrates a classic buffer overflow pattern where the variable 'i' is modified during random MAC address assignment, causing subsequent access to the reqs array using an invalid index value. This results in attempting to access kernel memory outside of proper user access routines, as evidenced by the error message indicating access to virtual address zero. The kernel's memory management subsystem detects this invalid access and triggers a data abort exception with ESR value 0x96000004, indicating a data read operation that failed due to an invalid address. The stack trace shows the failure occurring in brcmf_pno_config_sched_scans function within the brcmfmac module, which is part of the broader wireless configuration subsystem.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation or denial of service conditions in wireless networking environments. Attackers could exploit this flaw by triggering specific wireless scan operations that activate the problematic code path, particularly in systems running the affected kernel versions. The vulnerability affects devices using Broadcom wireless chips and is particularly concerning in embedded systems or IoT devices where wireless connectivity is essential for operation. The issue is classified as a memory corruption vulnerability under CWE-129, which specifically addresses improper validation of array indices, and aligns with ATT&CK technique T1068 for privilege escalation through kernel exploits. The flaw represents a failure in input validation and memory management practices within the wireless subsystem.

Mitigation strategies for CVE-2022-50678 include immediate kernel updates to versions that contain the fix, which replaces the problematic index variable 'i' with a dedicated 'ri' variable to prevent index corruption during MAC address randomization. System administrators should also implement monitoring for abnormal wireless scan behavior and ensure that wireless network configurations do not trigger the vulnerable code path unnecessarily. Additional defensive measures include restricting wireless configuration access to trusted users and implementing proper kernel hardening techniques such as stack canaries and address space layout randomization. The fix demonstrates proper defensive programming practices by separating loop control variables from data access indices, preventing the type of variable reuse that led to the memory corruption. Organizations should prioritize patching systems running affected kernel versions, particularly those in production environments where wireless connectivity is critical for operations.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!