CVE CyberSecurity Database News

CVE-2022-3628 - Buffer Overflow in Broadcom Full MAC Wi-Fi Driver — How a Malicious USB Device Can Take Down Your Linux System

Poster -

In late 2022, security researchers discovered CVE-2022-3628, a serious vulnerability in the Linux kernel’s Broadcom Full MAC Wi-Fi USB driver (drivers/net/wireless/broadcom/brcm80211/brcmfmac). By simply plugging in a specially crafted USB Wi-Fi device, a local attacker could trigger a buffer overflow, crashing your system or even gaining higher privileges. In this post, we’ll break down what this bug means, how it works, and see real code snippets that highlight the issue—plus, steps to protect yourself.

What Is CVE-2022-3628?

This vulnerability exists in certain Linux kernel versions where the Broadcom Full MAC Wi-Fi driver handles USB devices. The flaw is a classic buffer overflow: the driver doesn’t properly check the length of incoming data from USB, allowing data to be written past the end of the buffer in memory. A local user—one with physical access or some low privileges—can exploit this by plugging in a malicious USB Wi-Fi dongle.

The result?

The vulnerable code lies in the Linux Kernel source file

drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c

Here’s a simplified look at the “bad” code pattern

// Simplified code snippet (for illustration):

int brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
{
    struct brcmf_usbdev *bus;
    struct usb_device *udev = interface_to_usbdev(intf);

    // ... omitted setup code ...

    // Vulnerable part: insufficient length check!
    usb_control_msg(udev,
                    usb_rcvctrlpipe(udev, ),
                    SOME_USB_REQUEST,
                    USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
                    , , buffer, len, timeout);

    // ... process 'buffer' contents here, trusting 'len' parameter ...
}

If the device gives more data than the buffer is prepared to hold, it overwrites adjacent memory, causing trouble.

Official Patch Reference:
- commit 1d8d2b109a – Kernel.org patch
- Red Hat Bugzilla CVE-2022-3628

A proof-of-concept exploit would involve

1. Firmware on a USB Wi-Fi Stick: A custom or compromised USB dongle can announce itself with oversized structures or payloads when probed by the Linux host.
2. Overflow at Driver Level: The Linux kernel driver (running as root) reads what it thinks is valid data, but actually this overwrites the stack or heap.
3. Result: The attacker could set special return addresses or values, leading to either a crash or—if further chained with kernel exploitation techniques—full local root access.

Example Exploit Scenario

Assume an attacker has a Raspberry Pi or another Linux host, and access to flash a USB Wi-Fi chip with rogue firmware.

The fake USB device could present a standard ID so the driver recognizes it, but when the driver fetches configuration, it provides a huge packet:

# Hypothetical python code, using usb.core for PoC
import usb.core
import usb.util

dev = usb.core.find(idVendor=xa5c, idProduct=x1234)  # Fake Broadcom USB

if dev is None:
    raise ValueError('Device not found')

# Send crafted response with huge payload size
malicious_data = b"A" * 1024  # Oversized

dev.ctrl_transfer(
    bmRequestType=usb.util.build_request_type(
        usb.util.CTRL_IN, usb.util.CTRL_TYPE_VENDOR, usb.util.CTRL_RECIPIENT_DEVICE
    ),
    bRequest=1,  # Example request
    wValue=,
    wIndex=,
    data_or_wLength=malicious_data
)


*This is illustrative. Real-world exploitation would require deep USB gadget programming, but the principle holds: send more data than expected, trigger the overflow.*

Users running Linux on laptops or desktops with Broadcom USB Wi-Fi adapters.

- Admins configuring devices in public or possibly hostile environments (shared labs, universities, etc).

How to Fix It

Mitigation:  
Update your Linux kernel to a version including the patch.

Major Linux distributions have released updates since late 2022

- Red Hat advisory
- Ubuntu USN-5707-1

Temporary workarounds:

Conclusion

CVE-2022-3628 is a classical but dangerous kernel bug that shows how plugging in a malicious USB device can instantly threaten a Linux system. While it’s rare for ordinary users to encounter such attacks, environments with shared access or sensitive data should patch ASAP and keep a close eye on device security.

References

- NIST NVD Entry
- Linux Kernel commit/patched code
- Red Hat Bugzilla - CVE-2022-3628
- Ubuntu Security Notice USN-5707-1

Timeline

Published on: 01/12/2023 19:15:00 UTC
Last modified on: 01/23/2023 15:13:00 UTC