5 critical remote code execution vulnerabilities in Linux kernel. !Patch immediately!

The Linux kernel WiFi stack has five serious flaws, according to research, which a hacker might use to execute arbitrary code or inflict a denial of service.

CVE-2022-42719

The vulnerability, identified as CVE-2022-42719, was brought on by a use-after-free issue in the multi-BSSID element’s ieee802 11 parse elems full function of net/mac80211/util.c. A remote authenticated adversary might leverage this issue to execute arbitrary code or bring down the system by sending a carefully crafted request. In v5.2-rc1, the CVE-2022-42719 vulnerability was first made public.

CVE-2022-42720

The vulnerability, identified as CVE-2022-42720, was produced about by a use-after-free issue in the multi-BSSID part of the bss ref get function in net/wireless/scan.c. A remote authenticated adversary might leverage this issue to execute arbitrary code or bring down the system by sending a carefully crafted request.

CVE-2022-42721

The security vulnerability, identified as CVE-2022-42721, was brought on by a list corruption bug in the cfg80211 add nontrans list function in net/wireless/scan.c. An authorized adversary might take advantage of this weakness to trigger a denial of service scenario by sending a specially crafted request. As a result, a DoS results from an endless loop.

CVE-2022-42722

The vulnerability, identified as CVE-2022-42722, was brought on by a P2P-Device in wifi vulnerability in ieee80211 rx h decrypt in net/mac80211/rx.c. A local authenticated intruder might leverage this issue to create a denial of service scenario by delivering a carefully crafted request.

CVE-2022-41674

The vulnerability, identified as CVE-2022-41674, was brought on by a buffer overflow in the WiFi subcomponent’s net/wireless/scan.c file’s cfg80211 update notlisted nontrans() function. A remote authenticated adversary might leverage this issue to launch arbitrary code or cause the system to crash by sending a carefully crafted request. 

Currently, security fixes have been formally released by Linux kernel maintainers. It is advised that users update Linux servers right away and install other distro’s fixes as soon as they become available.