In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Fix UAF in ieee80211_scan_rx()
ieee80211_scan_rx() tries to access scan_req->flags after a
null check, but a UAF is observed when the scan is completed
and __ieee80211_scan_completed() executes, which then calls
cfg80211_scan_done() leading to the freeing of scan_req.
Since scan_req is rcu_dereference()'d, prevent the racing in
__ieee80211_scan_completed() by ensuring that from mac80211's
POV it is no longer accessed from an RCU read critical section
before we call cfg80211_scan_done().
Metrics
Affected Vendors & Products
References
History
Fri, 20 Jun 2025 23:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
Wed, 18 Jun 2025 11:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req. Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an RCU read critical section before we call cfg80211_scan_done(). | |
Title | wifi: mac80211: Fix UAF in ieee80211_scan_rx() | |
References |
|
|

Status: PUBLISHED
Assigner: Linux
Published: 2025-06-18T10:54:36.161Z
Updated: 2025-07-15T15:43:39.598Z
Reserved: 2025-05-01T14:05:17.254Z
Link: CVE-2022-49934

No data.

Status : Awaiting Analysis
Published: 2025-06-18T11:15:19.400
Modified: 2025-06-18T13:46:52.973
Link: CVE-2022-49934
