CVE-2022-49533
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49533
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49533.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49533
- Downstream
- Related
- Published
- 2025-02-26T02:13:52Z
- Modified
- 2025-10-21T10:28:22.995706Z
- Summary
- ath11k: Change max no of active probe SSID and BSSID to fw capability
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ath11k: Change max no of active probe SSID and BSSID to fw capability
The maximum number of SSIDs in a for active probe requests is currently reported as 16 (WLANSCANPARAMSMAXSSID) when registering the driver. The scanreqparams structure only has the capacity to hold 10 SSIDs. This leads to a buffer overflow which can be triggered from wpasupplicant in userspace. When copying the SSIDs into the scanreqparams structure in the ath11kmacophw_scan route, it can overwrite the extraie pointer.
Firmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe request will be sent, so totally 64 probe requests supported. So set both max ssid and bssid to 16 and 4 respectively. Remove the redundant macros of ssid and bssid.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd5c65159f2895379e11ca13f62feabe93278985dFixed210505788f1d243232e21ef660efcd4838890ce8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd5c65159f2895379e11ca13f62feabe93278985dFixedec5dfa1d66f2f71a48dab027d26a9fa78eb0f58f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd5c65159f2895379e11ca13f62feabe93278985dFixed50dc9ce9f80554a88e33b73c30851acf2be36ed3
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.4
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50dc9ce9f80554a88e33b73c30851acf2be36ed3",
"id": "CVE-2022-49533-29e38309",
"digest": {
"line_hashes": [
"166103348302886706095512375091922869038",
"337015844897869436800909827782043471891",
"208678790048975969796936831582344161611",
"210467251140074086362676833740948057636",
"301437966194350006552827464805376461535",
"300377561327469708814067205596849420474",
"245852577331628213855908029732699745366",
"202405399644668801455759440940791552598",
"16121088661865191657964467636328317479",
"114748569355359749099465334901494327885",
"245954985543696608887893239488500077378"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/wireless/ath/ath11k/wmi.h"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@210505788f1d243232e21ef660efcd4838890ce8",
"id": "CVE-2022-49533-5ad93805",
"digest": {
"line_hashes": [
"166103348302886706095512375091922869038",
"337015844897869436800909827782043471891",
"208678790048975969796936831582344161611",
"210467251140074086362676833740948057636",
"301437966194350006552827464805376461535",
"300377561327469708814067205596849420474",
"245852577331628213855908029732699745366",
"202405399644668801455759440940791552598",
"16121088661865191657964467636328317479",
"114748569355359749099465334901494327885",
"245954985543696608887893239488500077378"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/wireless/ath/ath11k/wmi.h"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ec5dfa1d66f2f71a48dab027d26a9fa78eb0f58f",
"id": "CVE-2022-49533-b86b8f30",
"digest": {
"line_hashes": [
"166103348302886706095512375091922869038",
"337015844897869436800909827782043471891",
"208678790048975969796936831582344161611",
"210467251140074086362676833740948057636",
"301437966194350006552827464805376461535",
"300377561327469708814067205596849420474",
"245852577331628213855908029732699745366",
"202405399644668801455759440940791552598",
"16121088661865191657964467636328317479",
"114748569355359749099465334901494327885",
"245954985543696608887893239488500077378"
],
"threshold": 0.9
},
"target": {
"file": "drivers/net/wireless/ath/ath11k/wmi.h"
},
"signature_type": "Line",
"signature_version": "v1"
}
]