In the world of Linux security, old kernel drivers often hide critical vulnerabilities—some lurking for years. One such issue is CVE-2022-4095: a use-after-free flaw in the Realtek RTL8712 Wi-Fi driver, found in Linux kernels before version 5.19.2. This bug allows an attacker with local access to crash the system or even execute code with elevated privileges. Let’s break down what happened, how the exploit works, and what you can do to stay safe.
What is CVE-2022-4095?
CVE-2022-4095 is a use-after-free vulnerability located in the cmd_hdl_filter function inside drivers/staging/rtl8712/rtl8712_cmd.c. When certain commands are sent to the Wi-Fi driver, the code mistakenly frees memory, then tries to use it again. This can corrupt memory, causing a denial of service (crash), or—worse—open the door for privilege escalation attacks.
The issue is found in this portion of the driver's code (kernel versions before 5.19.2)
void cmd_hdl_filter(struct _adapter *padapter, u8 *pbuf)
{
// ...
kfree(padapter->filter_buf);
// ... some code that still references padapter->filter_buf
}
Here, padapter->filter_buf gets freed, but later down the function, the code continues to use filter_buf, which now points to memory that might already be reallocated for something else. Classic use-after-free.
August 2022: Vulnerability discovered
- August 2022: Fix merged leading up to kernel 5.19.2 (patch details)
Allow local user access (shell, ssh, desktop, etc.)
Most modern desktops and servers don’t use this Wi-Fi driver, but it's popular in embedded systems, old laptops, and custom boards.
How Does the Exploit Work?
An attacker with local access can trigger the bug by sending a crafted command to the driver (e.g., via ioctl or a malicious Wi-Fi packet processed by the driver). Here's a simplified proof of concept (PoC), showing how such a call might look in C:
#include <stdio.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <unistd.h>
#define RTL8712_IOCTL_CMD x8BEC // Example constant, real value may vary
int main() {
int fd = open("/dev/rtl8712", O_RDWR);
if (fd < ) {
perror("Failed to open device");
return 1;
}
char filter_cmd[64] = {}; // Craft payload triggering cmd_hdl_filter
// Manipulate filter_cmd as needed for exploit
if (ioctl(fd, RTL8712_IOCTL_CMD, filter_cmd) == -1) {
perror("ioctl failed");
} else {
printf("ioctl sent. Check if system crashed or behavior changed.\n");
}
close(fd);
return ;
}
What happens?
The use-after-free allows an attacker to control freed memory. If they reallocate it with attacker-controlled data (using malloc()/free() patterns), they can potentially overwrite function pointers or critical data, leading to kernel code execution.
A malicious user on a shared machine could gain full control—or simply crash the system.
- Embedded devices, industrial controls, or routers using this driver could be compromised with physical or remote (network) access.
- Since it's a kernel bug, container and VM boundaries can't protect you if the attacker can interact with the vulnerable driver.
The Fix
Upgrading your kernel to 5.19.2 or later removes the vulnerability.
The fix ensures the pointer isn't used after it's freed, e.g.
kfree(padapter->filter_buf);
padapter->filter_buf = NULL;
Check the specific upstream patch for details.
References
- CVE-2022-4095 on NVD
- Kernel Bugzilla Entry
- Linux Patch Commit
- GitHub Patch PR
Summary
CVE-2022-4095 is a textbook example of how old, rarely-audited drivers can expose Linux systems to dangerous local bugs. If you use RTL8712-based Wi-Fi on Linux, patch today. Disabling unused drivers and keeping your kernel up to date is always the best defense.
Timeline
Published on: 03/22/2023 15:15:00 UTC
Last modified on: 03/24/2023 20:43:00 UTC