FKIE_CVE-2022-23088
Vulnerability from fkie_nvd - Published: 2024-02-15 05:15 - Updated: 2025-06-04 22:16
Severity ?
Summary
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | * | |
| freebsd | freebsd | 12.3 | |
| freebsd | freebsd | 12.3 | |
| freebsd | freebsd | 12.3 | |
| freebsd | freebsd | 12.3 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.0 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21DD7BCE-A20E-4014-8E35-DB6EC1FB12B0",
"versionEndExcluding": "12.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4ACD421D-AD3D-484B-9E8C-3FA32262B885",
"versionEndExcluding": "13.0",
"versionStartIncluding": "12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "3B6DCD8A-331E-419F-9253-C4D35C1DF54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "4578E06C-16C6-435E-9E51-91CB02602355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "71FA1F6C-7E53-40F8-B9E1-5FD28D5DAADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "0EC87BCE-17F0-479B-84DC-516C24FBD396",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "7412DBD8-BB1F-48A8-AAE1-BA5C8D7BDDF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "833DFF5B-BC50-424A-ABCF-EC632F421B76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "9F27016E-4117-4094-BB7A-9C56E38024D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta3-p1:*:*:*:*:*:*",
"matchCriteriaId": "EC7326E3-908D-47A1-B848-3AA7F34B3DD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "B149BF69-951D-47B4-996C-9E4773DA75B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "04A0E266-714C-4753-A652-A51F25582C78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p10:*:*:*:*:*:*",
"matchCriteriaId": "D133E8E0-4E88-451C-9693-5DE5C3092AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "556111A1-C236-4DF6-9438-F9C874451A58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "1673F16B-463A-492C-B66F-48917008F7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "E73B211F-2CA9-47A4-B318-F24CC1C7E589",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "7C13DDEF-FF5F-4723-9C25-4EA66AE2CEDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "7A942EA9-0DD3-44BC-B582-C680BA34E88F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "689BC10B-0404-4468-B604-9D96337F9BD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "38DDAA43-3E9C-479F-8416-E3B9BE23C31B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "AE490480-1EA1-4684-A643-9749E87A8448",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FC271C93-EB83-4301-B7BA-F3249B71B1EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "04329338-AC28-4A74-BE6B-CE8EC6CC37B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "ADBA841F-5C83-4759-84B7-B59DA1B12EA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6A8F38B3-A6DA-4178-A2BD-0D4F0267C384",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "9BB028A0-70F6-42DA-9E5A-F7AAF74ED45B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc5-p1:*:*:*:*:*:*",
"matchCriteriaId": "00D28E4E-022B-482E-9952-7F7F47C427C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:b1-p1:*:*:*:*:*:*",
"matchCriteriaId": "66364EA4-83B1-4597-8C18-D5633B361A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:b2-p2:*:*:*:*:*:*",
"matchCriteriaId": "EF9292DD-EFB1-4B50-A941-7485D901489F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.\n\nWhile a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution."
},
{
"lang": "es",
"value": "La rutina de manejo de balizas 802.11 no pudo validar la longitud de un ID de malla IEEE 802.11 antes de copiarlo en un b\u00fafer asignado en mont\u00f3n. Mientras un cliente Wi-Fi de FreeBSD est\u00e1 en modo de escaneo (es decir, no asociado con un SSID), una trama de baliza maliciosa puede sobrescribir la memoria del kernel, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2022-23088",
"lastModified": "2025-06-04T22:16:17.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-15T05:15:09.440",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…