CVE-2022-49471
Published: 26 February 2025
Summary
CVE-2022-49471 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49471 is an array index out-of-bounds vulnerability in the Linux kernel's rtw89 driver, specifically in the `rtw89_phy_cfo_parse` function within `phy.c`. The issue arises when hardware reports an invalid `mac_id` value, such as index 188, which exceeds the bounds of a 64-element `s32` array. This was detected by UBSAN during an IRQ handler in the receive path (`rtw89_core_rx` via `rtw89_pci_napi_poll`), leading to potential memory corruption. The vulnerability is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation occurs in the kernel's network receive processing triggered by hardware input, potentially allowing arbitrary memory read/write, kernel crashes (DoS), or privilege escalation due to the high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H) in an unchanged security scope (S:U).
Kernel patches addressing this issue are available in stable releases via the referenced commits: https://git.kernel.org/stable/c/03ed236480aeec8c2fd327a1ea6d711364c495e3, https://git.kernel.org/stable/c/97df85871a5b187609d30fca6d85b912d9e02f29, and https://git.kernel.org/stable/c/c32fafe68298bb599e825c298e1d0ba30186f0a5. These patches add validation to check the `mac_id` index before array access, preventing out-of-bounds operations. Systems should update to a patched kernel version to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54758
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: rtw89: cfo: check mac_id to avoid out-of-bounds Somehow, hardware reports incorrect mac_id and pollute memory. Check index before we access the array. UBSAN: array-index-out-of-bounds in rtw89/phy.c:2517:23 index 188 is out…
more
of range for type 's32 [64]' CPU: 1 PID: 51550 Comm: irq/35-rtw89_pc Tainted: G OE Call Trace: <IRQ> show_stack+0x52/0x58 dump_stack_lvl+0x4c/0x63 dump_stack+0x10/0x12 ubsan_epilogue+0x9/0x45 __ubsan_handle_out_of_bounds.cold+0x44/0x49 ? __alloc_skb+0x92/0x1d0 rtw89_phy_cfo_parse+0x44/0x7f [rtw89_core] rtw89_core_rx+0x261/0x871 [rtw89_core] ? __alloc_skb+0xee/0x1d0 rtw89_pci_napi_poll+0x3fa/0x4ea [rtw89_pci] __napi_poll+0x33/0x1a0 net_rx_action+0x126/0x260 ? __queue_work+0x217/0x4c0 __do_softirq+0xd9/0x315 ? disable_irq_nosync+0x10/0x10 do_softirq.part.0+0x6d/0x90 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 rtw89_pci_interrupt_threadfn+0x182/0x1a6 [rtw89_pci] irq_thread_fn+0x28/0x60 irq_thread+0xc8/0x190 ? irq_thread_fn+0x60/0x60 kthread+0x16b/0x190 ? irq_thread_check_affinity+0xe0/0xe0 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 </TASK>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel out-of-bounds write in network driver enables local privilege escalation via memory corruption (T1068) and system DoS via kernel crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through kernel patching directly applies the fix that validates mac_id before array access, preventing the out-of-bounds vulnerability.
Requires validation of untrusted hardware inputs like mac_id against array bounds in the rtw89 driver, directly stopping invalid index usage.
Implements memory protections such as stack canaries and non-executable memory to mitigate potential memory corruption from out-of-bounds access even if validation fails.