Cyber Resilience

CVE-2022-49740

High

Published: 27 March 2025

Published
27 March 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49740 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Hardware Additions (T1200); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-49740 is a slab-out-of-bounds read vulnerability in the Linux kernel's brcmfmac WiFi driver, affecting functions brcmf_construct_chaninfo() and brcmf_enable_bw40_2g(). The issue arises when the count value of channel specifications provided by the device exceeds the length of the allocated 'list->element[]' buffer, which is sized based on the kzalloc() allocation in brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). This leads to invalid memory reads, as detected by KASAN in crash reports during device initialization.

A local attacker with low privileges can exploit this vulnerability by connecting a malicious USB device supported by the brcmfmac driver, such as during USB enumeration in the usb_hub_wq workqueue. The malformed channel specification count triggers out-of-bounds reads, potentially allowing high confidentiality impact through memory disclosure and high availability impact via system crashes, with no integrity impact or scope change, as scored by CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (score 7.1). The vulnerability aligns with CWE-125 (Out-of-bounds Read).

Kernel patch commits referenced in advisories, such as those at git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209 and others, mitigate the issue by adding checks in the affected functions to free the buffer and return -EINVAL if the count exceeds the allocated size. Callers like brcmf_setup_wiphybands() and brcmf_cfg80211_attach() handle the negative return appropriately. Systems should update to kernels including these stable backports.

The vulnerability was discovered by a modified version of the syzkaller fuzzer, with no evidence of real-world exploitation reported.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads This patch fixes slab-out-of-bounds reads in brcmfmac that occur in brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count value…

more

of channel specifications provided by the device is greater than the length of 'list->element[]', decided by the size of the 'list' allocated with kzalloc(). The patch adds checks that make the functions free the buffer and return -EINVAL if that is the case. Note that the negative return is handled by the caller, brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). Found by a modified version of syzkaller. Crash Report from brcmf_construct_chaninfo(): ================================================================== BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf brcmf_setup_wiphybands+0x1238/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 Allocated by task 1896: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 kmem_cache_alloc_trace+0x19e/0x330 brcmf_setup_wiphybands+0x290/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888115f24000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888115f24000, ffff888115f24800) Memory state around the buggy address: ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Crash Report from brcmf_enable_bw40_2g(): ========== ---truncated---

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1200 Hardware Additions Initial Access
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is exploited by connecting a malicious USB device (T1200) and leads to system crashes enabling denial of service (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21717Same product: Linux Linux Kernel
CVE-2022-49706Same product: Linux Linux Kernel
CVE-2026-43006Same product: Linux Linux Kernel
CVE-2025-21794Same product: Linux Linux Kernel
CVE-2022-49674Same product: Linux Linux Kernel
CVE-2022-49401Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2022-49163Same product: Linux Linux Kernel
CVE-2026-23102Same product: Linux Linux Kernel
CVE-2022-49444Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 5.4.232 · 5.5 — 5.10.168 · 5.11 — 5.15.93

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of channel specification counts provided by WiFi devices to prevent slab-out-of-bounds reads in the brcmfmac driver functions.

prevent

Directly remediates the flaw by applying kernel patches that add bounds checks and return -EINVAL on invalid counts in brcmf_construct_chaninfo and brcmf_enable_bw40_2g.

prevent

Restricts unauthorized USB device connections, blocking malicious WiFi adapters from triggering the vulnerability during usb_hub_wq enumeration and probe.

References