CVE-2022-49290 - mac80211 Double Free in Linux Kernel Mesh Join/Leave (Detailed Analysis & Exploit Walkthrough)

In December 2022, a critical Linux kernel bug was identified and tracked under CVE-2022-49290. This vulnerability, residing in the mac80211 subsystem, could lead to severe consequences such as a double free and potential kernel panic. Specifically, the bug relates to how memory for mesh network Information Elements (IE) is freed when leaving and rejoining a mesh network.

This post breaks down the issue, demonstrates how it can be triggered and discusses the fix, drawing on upstream Linux kernel patches and real-world scenarios.

What’s Affected?

Any Linux system using the mac80211 subsystem for managing mesh networks is affected, especially when programs directly invoke mesh join/leave netlink calls without the usual userland utilities (wpa_supplicant).

How the Bug Occurs

A previous patch 6a01afcf8468 addressed a memory leak by freeing the mesh Information Element (ie) on mesh leave. However, the new code caused another problem: double free on the IE pointer if a join immediately follows leave under some conditions.

`

If ifmsh->ie is not set to NULL in between, the second kfree targets already-freed memory, leading to memory corruption or a kernel panic.

A Linux system with a mac80211 mesh interface (like mesh)

- Direct use of iw or custom tools; not via wpa_supplicant (which avoids this with extra NETDEV_DOWN/UP cycles)

This triggers ieee80211_leave_mesh() and frees the IE memory.

3. (Optionally, skip an interface down/up cycle)

Here's a minimal reproducer (run as root)

# Start encrypted mesh (already running, for PoC we just care about leave/join)
iw dev mesh mesh leave
iw dev mesh mesh join my-mesh freq 2412 key :somekey

On a vulnerable kernel, this sequence may crash the system or log malloc/free errors.

Tip: For more controlled exploration, use crashkernel or qemu VMs to avoid real hardware damage.

Why Doesn't It Happen With wpa_supplicant?

When using wpa_supplicant, the mesh leave/join is performed via a NETDEV_DOWN → NETDEV_UP cycle between the commands. NETDEV_UP resets the mesh IE to NULL using default settings, which prevents the double free bug.

But tools like Senf (a router/mesh project) or custom netlink clients may skip this, exposing the vulnerability.

The Fix

The kernel fix was to remove the redundant kfree in mesh join, leaving cleanup solely to mesh leave:

Before

old_ie = ifmsh->ie;
kfree(old_ie); // <-- Bad: this could be double free

After

// No longer freeing old_ie here

See kernel commit diff.

References

- Linux Kernel Commit fixing CVE-2022-49290
- NVD Entry
- Original report by Michael Braun
- mac80211 mesh documentation

- If upgrade is not possible

- Prefer using wpa_supplicant or high-level tools that manage device states, to avoid direct netlink commands.
- Do not alternate mesh leave/join via direct iw calls; restart the interface in between as a precaution.

Conclusion

CVE-2022-49290 showcases how fixing one bug can sometimes introduce another if lifecycle and state is not managed carefully. If you maintain mesh Wi-Fi routers on Linux, update your kernel and audit any custom automation that performs direct mesh management.

By carefully understanding how mesh IEs are freed, you can avoid costly downtimes or critical kernel crashes.

Want to Learn More?

- mac80211 code walkthrough
- Your wireless driver and mesh FAQ on linux-wireless

Timeline

Published on: 02/26/2025 07:01:05 UTC
Last modified on: 04/14/2025 20:07:47 UTC