CVE-2022-50533
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mlme: fix null-ptr deref on failed assoc If association to an AP without a link 0 fails, then we crash in tracing because it assumes that either ap_mld_addr or link 0 BSS is valid, since we clear sdata->vif.valid_links and then don't add the ap_mld_addr to the struct. Since we clear also sdata->vif.cfg.ap_addr, keep a local copy of it and assign it earlier, before clearing valid_links, to fix this.
Analysis
A null pointer dereference vulnerability exists in the Linux kernel's WiFi mac80211 MLME (MAC Layer Management Entity) implementation that crashes the kernel during WiFi association tracing when an AP connection without link 0 fails. The vulnerability affects all Linux kernel versions with the vulnerable code path in the mac80211 wireless driver subsystem, allowing a local authenticated attacker to trigger a denial of service condition. The EPSS score of 0.01% indicates this is rarely exploited in practice, though patches are publicly available from kernel.org.
Technical Context
This vulnerability resides in the Linux kernel's mac80211 wireless subsystem (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*), specifically within the MLME (Medium Access Control Layer Management Entity) association logic. The root cause is classified as CWE-476 (Null Pointer Dereference) and occurs in the tracing code path when WiFi association fails. The kernel attempts to dereference ap_mld_addr or link 0 BSS pointers without validating they exist; when association fails, sdata->vif.valid_links and sdata->vif.cfg.ap_addr are cleared, but the tracing code still assumes these structures contain valid data, leading to a kernel panic. The fix involves maintaining a local copy of ap_addr and assigning it before clearing valid_links to preserve the reference needed by trace functions.
Affected Products
The Linux kernel is affected across all versions containing the vulnerable mac80211 MLME association code path (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). The exact affected version range is not explicitly specified in the vulnerability description, but the kernel.org patch references (commits 78a6a43aaf87180ec7425a2a90468e1b4d09a1ec, bb7743955a929e44b308cc3f63f8cc03873c1bee, c695dfba8dfb82dc7ace4f22be088916cbf621ca) indicate this affects versions prior to those commit dates. Systems running WiFi drivers dependent on mac80211 are affected. Users should check their kernel version against kernel.org's stable branch commit history.
Remediation
Apply the official Linux kernel patch available at https://git.kernel.org/stable/ using any of the three provided commits (78a6a43aaf87180ec7425a2a90468e1b4d09a1ec, bb7743955a929e44b308cc3f63f8cc03873c1bee, or c695dfba8dfb82dc7ace4f22be088916cbf621ca) or upgrade to a kernel version that includes these fixes. Most Linux distributions will backport this patch into their stable kernel updates; check your distribution's security advisory. Until patching is possible, disable WiFi tracing via sysctl or kernel module parameters if feasible in your environment, though this is a workaround rather than a true fix. The primary remediation is kernel upgrade or patch application, which can typically be performed with standard package manager updates (apt, yum, dnf, etc.).
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today