cbcvebase.
CVE-2022-23088
published 2024-02-15

CVE-2022-23088: The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.62%
88.1th percentile
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
freebsdfreebsd< 12.312.3
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 12.3-RELEASE < p5p5
freebsdfreebsd>= 12.4 < 13.013.0
freebsdfreebsd>= 13.0-RELEASE < p11p11
freebsdfreebsd>= 13.1-RC1 < p1p1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://security.FreeBSD.org/patches/SA-22:07/wifi_meshid.patch
hash72617f9246e3
hash00cc1ce78da3
hashb2b23824272d
  • The vulnerability is triggered via a malicious IEEE 802.11s beacon frame with an oversized Mesh ID field, exploitable only against FreeBSD Wi-Fi clients actively in scanning mode (not yet associated with a SSID). Monitor for anomalous 802.11s beacon frames with Mesh ID elements exceeding valid length bounds.
  • Exploitation window is limited to scanning mode — a FreeBSD Wi-Fi client that is not associated with any SSID. Detection focus should be on unassociated FreeBSD wireless interfaces receiving crafted beacon frames.
  • The vulnerable kernel subsystem is net80211. Kernel crash dumps or unexpected reboots on FreeBSD systems with active Wi-Fi interfaces may indicate exploitation attempts targeting this heap buffer overflow.
  • ·Systems not using Wi-Fi are entirely unaffected. The attack surface is limited to hosts with active wireless interfaces in scanning mode.
  • ·No workaround is available short of patching; all supported FreeBSD versions are affected, requiring a system reboot after applying the fix.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.