Cyber Resilience

CVE-2022-49471

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49471 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49471 is an array index out-of-bounds vulnerability in the Linux kernel's rtw89 driver, specifically in the `rtw89_phy_cfo_parse` function within `phy.c`. The issue arises when hardware reports an invalid `mac_id` value, such as index 188, which exceeds the bounds of a 64-element `s32` array. This was detected by UBSAN during an IRQ handler in the receive path (`rtw89_core_rx` via `rtw89_pci_napi_poll`), leading to potential memory corruption. The vulnerability is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation occurs in the kernel's network receive processing triggered by hardware input, potentially allowing arbitrary memory read/write, kernel crashes (DoS), or privilege escalation due to the high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H) in an unchanged security scope (S:U).

Kernel patches addressing this issue are available in stable releases via the referenced commits: https://git.kernel.org/stable/c/03ed236480aeec8c2fd327a1ea6d711364c495e3, https://git.kernel.org/stable/c/97df85871a5b187609d30fca6d85b912d9e02f29, and https://git.kernel.org/stable/c/c32fafe68298bb599e825c298e1d0ba30186f0a5. These patches add validation to check the `mac_id` index before array access, preventing out-of-bounds operations. Systems should update to a patched kernel version to mitigate the risk.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: rtw89: cfo: check mac_id to avoid out-of-bounds Somehow, hardware reports incorrect mac_id and pollute memory. Check index before we access the array. UBSAN: array-index-out-of-bounds in rtw89/phy.c:2517:23 index 188 is out…

more

of range for type 's32 [64]' CPU: 1 PID: 51550 Comm: irq/35-rtw89_pc Tainted: G OE Call Trace: <IRQ> show_stack+0x52/0x58 dump_stack_lvl+0x4c/0x63 dump_stack+0x10/0x12 ubsan_epilogue+0x9/0x45 __ubsan_handle_out_of_bounds.cold+0x44/0x49 ? __alloc_skb+0x92/0x1d0 rtw89_phy_cfo_parse+0x44/0x7f [rtw89_core] rtw89_core_rx+0x261/0x871 [rtw89_core] ? __alloc_skb+0xee/0x1d0 rtw89_pci_napi_poll+0x3fa/0x4ea [rtw89_pci] __napi_poll+0x33/0x1a0 net_rx_action+0x126/0x260 ? __queue_work+0x217/0x4c0 __do_softirq+0xd9/0x315 ? disable_irq_nosync+0x10/0x10 do_softirq.part.0+0x6d/0x90 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 rtw89_pci_interrupt_threadfn+0x182/0x1a6 [rtw89_pci] irq_thread_fn+0x28/0x60 irq_thread+0xc8/0x190 ? irq_thread_fn+0x60/0x60 kthread+0x16b/0x190 ? irq_thread_check_affinity+0xe0/0xe0 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 </TASK>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Kernel out-of-bounds write in network driver enables local privilege escalation via memory corruption (T1068) and system DoS via kernel crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21680Same product: Linux Linux Kernel
CVE-2025-71086Same product: Linux Linux Kernel
CVE-2022-49170Same product: Linux Linux Kernel
CVE-2022-49186Same product: Linux Linux Kernel
CVE-2026-23354Same product: Linux Linux Kernel
CVE-2025-71100Same product: Linux Linux Kernel
CVE-2025-21692Same product: Linux Linux Kernel
CVE-2022-49720Same product: Linux Linux Kernel
CVE-2023-52987Same product: Linux Linux Kernel
CVE-2023-53019Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 5.17.14 · 5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through kernel patching directly applies the fix that validates mac_id before array access, preventing the out-of-bounds vulnerability.

prevent

Requires validation of untrusted hardware inputs like mac_id against array bounds in the rtw89 driver, directly stopping invalid index usage.

prevent

Implements memory protections such as stack canaries and non-executable memory to mitigate potential memory corruption from out-of-bounds access even if validation fails.

References