CVE-2022-49238
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's ath11k Wi-Fi driver for Qualcomm QCA6390 and WCN6855 chipsets. When a station disconnects from an access point, improper peer cleanup leads to memory corruption that can cause kernel crashes or potential privilege escalation. Systems using affected Wi-Fi hardware with vulnerable kernel versions are at risk.
💻 Affected Systems
- Linux kernel with ath11k driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to kernel mode allowing full system compromise.
Likely Case
System instability, kernel crashes, or denial of service when Wi-Fi connections are established/disconnected.
If Mitigated
Minor performance impact or connection issues during Wi-Fi handoffs.
🎯 Exploit Status
Requires local network access and ability to trigger Wi-Fi connection/disconnection events. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel stable releases containing commits 212ad7cb7d7592669c067125949e0a8e31ce6a0b and 400705c50bbf184794c885d1efad7fe9ccf1471a
Vendor Advisory: https://git.kernel.org/stable/c/212ad7cb7d7592669c067125949e0a8e31ce6a0b
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. For distributions: Use package manager to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable affected Wi-Fi hardware
LinuxTemporarily disable or blacklist ath11k driver to prevent use of vulnerable hardware
echo 'blacklist ath11k' >> /etc/modprobe.d/blacklist-ath11k.conf
modprobe -r ath11k
update-initramfs -u
🧯 If You Can't Patch
- Disable Wi-Fi functionality on affected systems
- Implement network segmentation to limit access to systems with vulnerable hardware
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if ath11k module is loaded: 'uname -r' and 'lsmod | grep ath11k'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check for KASAN warnings in dmesg: 'dmesg | grep -i kasan'📡 Detection & Monitoring
Log Indicators:
- KASAN use-after-free warnings in kernel logs
- Kernel panic messages related to ath11k driver
- Wi-Fi connection/disconnection anomalies
Network Indicators:
- Unusual Wi-Fi disconnection patterns
- Increased network errors on affected systems
SIEM Query:
source="kernel" AND ("KASAN" OR "use-after-free" OR "ath11k")