VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2022-50678

CVE-2022-50678

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: fix invalid address access when enabling SCAN log level

The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid.

We replace reqs index with ri to fix the issue.

[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's brcmfmac WiFi driver, a null-pointer dereference occurs during scheduled scan configuration when the loop index is reused after setting a random MAC, leading to invalid memory access.

Vulnerability

A use-after-free or invalid address access vulnerability exists in the Linux kernel's Broadcom FullMAC WiFi driver (brcmfmac). The bug resides in the brcmf_pno_config_sched_scans function, which handles scheduled scan offloading. When the driver sets a random MAC address during the scan setup, the loop index variable i is modified, and then used incorrectly as an index into the pi->reqs[] array. This causes the kernel to read a pointer from an out-of-bounds or null memory location, leading to a crash as seen in the Oops output where the kernel attempts to access user memory at address 0x0000000000000000 [CVE description].

Exploitation

An attacker can trigger this vulnerability by sending a specially crafted request to enable SCAN log level on a system using the brcmfmac driver. The attack is local, requiring the ability to interact with the wireless subsystem (e.g., via wificond or nl80211), but no special privileges beyond normal user access to wireless configuration. The affected code path is reachable during normal system operation when scanning for networks. The crash manifests as a kernel NULL pointer dereference, which can be used for denial-of-service or potentially for privilege escalation if the attacker can control the memory layout of memory [CVE description].

Impact

Successful exploitation results in a kernel Oops, which causes a system crash or reboot, effectively a denial-of-service condition. Given the nature of the bug (index misuse leading to read of a NULL pointer), there is a theoretical possibility of arbitrary code execution if an attacker can manipulate the kernel memory layout to make the index point to attacker-controlled data, but the primary impact observed is system instability.

Mitigation

The vulnerability was fixed in the Linux kernel by commit 7ccb0529446ae68a8581916bfc95c353306d76ba and its backports, which replaced the modified index variable i with a new variable ri to avoid the out-of-bounds access [1][2][3][4]. Users should update to a kernel version containing this fix. The issue affects kernels prior to the fix, including version 4.19.42 as shown in the crash trace. No workaround other than applying the patch is available.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

8
7ccb0529446a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1c12d47a9017
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
56a0ac486341
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
50e45034c580
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
75995ce1c926
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4d4dcfa6b4e8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
826405a91147
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aa666b68e73f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.