{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48876","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-16T11:38:08.922Z","datePublished":"2024-08-21T06:10:07.310Z","dateUpdated":"2025-05-04T08:25:18.052Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:25:18.052Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix initialization of rx->link and rx->link_sta\n\nThere are some codepaths that do not initialize rx->link_sta properly. This\ncauses a crash in places which assume that rx->link_sta is valid if rx->sta\nis valid.\nOne known instance is triggered by __ieee80211_rx_h_amsdu being called from\nfast-rx. It results in a crash like this one:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G            E      6.1.0-debian64x+1.7 #3\n Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014\n RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]\n Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48\n       83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0\n       11 00 00 8d 50 fd 83 fa 01\n RSP: 0018:ffff999040803b10 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900\n R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000\n FS:  0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0\n Call Trace:\n  <TASK>\n  __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]\n  ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n  ? __local_bh_enable_ip+0x3b/0xa0\n  ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n  ? prepare_transfer+0x109/0x1a0 [xhci_hcd]\n  ieee80211_rx_list+0xa80/0xda0 [mac80211]\n  mt76_rx_complete+0x207/0x2e0 [mt76]\n  mt76_rx_poll_complete+0x357/0x5a0 [mt76]\n  mt76u_rx_worker+0x4f5/0x600 [mt76_usb]\n  ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]\n  __mt76_worker_fn+0x50/0x80 [mt76]\n  kthread+0xed/0x120\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x22/0x30\n\nSince the initialization of rx->link and rx->link_sta is rather convoluted\nand duplicated in many places, clean it up by using a helper function to\nset it.\n\n[remove unnecessary rx->sta->sta.mlo check]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mac80211/rx.c"],"versions":[{"version":"ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131","lessThan":"a57c981d9f24d2bd89eaa76dc477e8ca252e22e8","status":"affected","versionType":"git"},{"version":"ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131","lessThan":"e66b7920aa5ac5b1a1997a454004ba9246a3c005","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mac80211/rx.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"6.1.8","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a57c981d9f24d2bd89eaa76dc477e8ca252e22e8"},{"url":"https://git.kernel.org/stable/c/e66b7920aa5ac5b1a1997a454004ba9246a3c005"}],"title":"wifi: mac80211: fix initialization of rx->link and rx->link_sta","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48876","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:05:13.063011Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-12T17:32:53.407Z"}}]}}