CVE-2022-48875
📋 TL;DR
A race condition vulnerability in the Linux kernel's WiFi subsystem (mac80211) where a NULL pointer dereference can occur during AMPDU session handling when deauthentication is in progress. This affects Linux systems with WiFi functionality, potentially causing kernel panics or denial of service.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote reboot.
Likely Case
System instability or crash when WiFi connections are being terminated while AMPDU sessions are active.
If Mitigated
Minor service interruption if system automatically recovers from kernel panic.
🎯 Exploit Status
Requires specific timing conditions during WiFi deauthentication while AMPDU sessions are being established.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 187523fa7c2d4c780f775cb869216865c4a909ef, 69403bad97aa0162e3d7911b27e25abe774093df, a12fd43bd175fa52c82f9740179d38c34ca1b62e, c838df8461a601b20dc1b9fb1834d2aad8e2f949
Vendor Advisory: https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable AMPDU aggregation
linuxPrevents the vulnerable code path by disabling AMPDU functionality
iw dev wlan0 set ampdu_tx off
iw dev wlan0 set ampdu_rx off
Disable WiFi if not needed
linuxRemove attack surface by disabling WiFi interfaces
ip link set wlan0 down
🧯 If You Can't Patch
- Implement network segmentation to limit WiFi access to trusted devices only
- Monitor for kernel panic events and implement automatic recovery mechanisms
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if WiFi is enabled: uname -r && ip link show | grep wlanCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is after fix commits and test WiFi deauthentication scenarios📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- BUG: unable to handle page fault
- mac80211 error logs during deauthentication
Network Indicators:
- Unusual WiFi deauthentication patterns
- Multiple AMPDU session start failures
SIEM Query:
source="kernel" AND ("page fault" OR "mac80211" OR "AMPDU")