Soenke Huster

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.1 through 5.19.x before 5.19.16 **Description** A list management bug in BSS handling in the mac80211 stack could be used by local attackers to corrupt a linked list and potentially execute code. The issue is related to a logic error in the code, which could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. **Recommendations** For Linux kernel versions 5.1 through 5.19.x before 5.19.16, update to version 5.19.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mac80211` stack to minimize the risk of exploitation. Avoid using the `cfg80211 add nontrans list` function in the `scan.c` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.8 through 5.19.x before 5.19.16 **Description** The issue allows local attackers to inject WLAN frames into the mac80211 stack, potentially causing a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. This could lead to a denial-of-service condition. **Recommendations** For Linux kernel versions 5.8 through 5.19.x before 5.19.16, update to version 5.19.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the mac80211 stack to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.1 through 5.19.x before 5.19.16 **Description** The issue is related to refcounting bugs in the multi-BSS handling in the mac80211 stack, which could allow local attackers to trigger use-after-free conditions and potentially execute code by injecting WLAN frames. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. **Recommendations** For Linux kernel versions 5.1 through 5.19.x before 5.19.16, update to version 5.19.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the mac80211 stack or disabling the injection of WLAN frames until a patch is available. Avoid using functions in scan.c that may be vulnerable to use-after-free conditions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.2 through 5.19.x before 5.19.16 **Description** A use-after-free issue in the mac80211 stack when parsing a multi-BSSID element could be exploited by attackers able to inject WLAN frames to crash the kernel and potentially execute code. This issue is related to a logic error in the code, specifically in the `ieee802 11 parse elems crc` function of `util.c`, which could lead to remote code execution without additional execution privileges needed. User interaction is not required for exploitation. **Recommendations** For Linux kernel versions 5.2 through 5.19.x before 5.19.16, update to version 5.19.16 or later to resolve the issue. As a temporary workaround, consider restricting access to WLAN frames to minimize the risk of exploitation. Additionally, ensure that any code using the `ieee802 11 parse elems crc` function is reviewed and updated to prevent potential use-after-free errors.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null pointer dereference issue has been identified in the Linux kernel related to Bluetooth functionality. Specifically, this issue occurs when a HCI Synchronous Connection Complete event is received for a BDADDR of an existing LE connection with a status that triggers a particular case of packet processing, resulting in a null pointer dereference because `conn->link` is NULL. This event is specified for SCO and eSCO link types. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory corruption issue exists due to the registration of devices multiple times when multiple connection complete events are received for the same handle. To address this, the code now ignores consequent events for a single connection. The introduction of HCI CONN HANDLE UNSET helps identify new connections, and checks for HCI CONN HANDLE MAX prevent the use of invalid handles. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.