Use-after-free in Linux kernel mediatek mt76 driver
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-49328 |
| CWE-ID | CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use-after-free
EUVDB-ID: #VU104459
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-49328
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mt76_txq_stopped() and mt76_txq_schedule_list() functions in drivers/net/wireless/mediatek/mt76/tx.c, within the mt7921_add_interface() function in drivers/net/wireless/mediatek/mt76/mt7921/main.c, within the mt7915_add_interface() function in drivers/net/wireless/mediatek/mt76/mt7915/main.c, within the mt76x02_vif_init() and mt76x02_remove_interface() functions in drivers/net/wireless/mediatek/mt76/mt76x02_util.c, within the mt7615_add_interface() function in drivers/net/wireless/mediatek/mt76/mt7615/main.c, within the mt7603_add_interface() function in drivers/net/wireless/mediatek/mt76/mt7603/main.c, within the mt76_sta_add() function in drivers/net/wireless/mediatek/mt76/mac80211.c. A local user can escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsLinux kernel: 5.17 - 5.17.13
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:5.17:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc8:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc9:*:*:*:*:*:*
https://git.kernel.org/stable/c/4448327b41738dbfcda680eb4935ff835568f468
https://git.kernel.org/stable/c/51fb1278aa57ae0fc54adaa786e1965362bed4fb
https://git.kernel.org/stable/c/d5f77f1dbb59feae81f88e44551e8e1d8a802d9a
https://git.kernel.org/stable/c/e55bcdd0bf34a8b10d45ce80ebb3164c5292a17d
https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.14
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
