CVE-2022-23088
published 2024-02-15CVE-2022-23088: The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.62%
88.1th percentile
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | < 12.3 | 12.3 |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 12.3-RELEASE < p5 | p5 |
| freebsd | freebsd | >= 12.4 < 13.0 | 13.0 |
| freebsd | freebsd | >= 13.0-RELEASE < p11 | p11 |
| freebsd | freebsd | >= 13.1-RC1 < p1 | p1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a malicious IEEE 802.11s beacon frame with an oversized Mesh ID field, exploitable only against FreeBSD Wi-Fi clients actively in scanning mode (not yet associated with a SSID). Monitor for anomalous 802.11s beacon frames with Mesh ID elements exceeding valid length bounds. ↗
- →Exploitation window is limited to scanning mode — a FreeBSD Wi-Fi client that is not associated with any SSID. Detection focus should be on unassociated FreeBSD wireless interfaces receiving crafted beacon frames. ↗
- →The vulnerable kernel subsystem is net80211. Kernel crash dumps or unexpected reboots on FreeBSD systems with active Wi-Fi interfaces may indicate exploitation attempts targeting this heap buffer overflow. ↗
- ·Systems not using Wi-Fi are entirely unaffected. The attack surface is limited to hosts with active wireless interfaces in scanning mode. ↗
- ·No workaround is available short of patching; all supported FreeBSD versions are affected, requiring a system reboot after applying the fix. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xg3-5hhv-932f: The 802
ghsa_unreviewed·2024-02-15
CVE-2022-23088 [CRITICAL] CWE-94 GHSA-7xg3-5hhv-932f: The 802
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
BSD
FreeBSD-SA-22:07.wifi_meshid: 802.11 heap buffer overflow
bsd_advisories·2022-04-06·CVSS 9.8
CVE-2022-23088 [CRITICAL] FreeBSD-SA-22:07.wifi_meshid: 802.11 heap buffer overflow
FreeBSD-SA-22:07.wifi_meshid Security Advisory
The FreeBSD Project
Topic: 802.11 heap buffer overflow
Category: core
Module: net80211
Announced: 2022-04-06
Credits: m00nbsd working with Trend Micro Zero Day Initiative
Affects: All supported versions of FreeBSD.
Corrected: 2022-04-05 22:59:53 UTC (stable/13, 13.1-STABLE)
2022-04-06 01:56:58 UTC (releng/13.1, 13.1-RC1-p1)
2022-04-06 03:04:17 UTC (releng/13.0, 13.0-RELEASE-p11)
2022-04-05 23:03:40 UTC (stable/12, 12.3-STABLE)
2022-04-06 03:06:33 UTC (releng/12.3, 12.3-RELEASE-p5)
CVE Name: CVE-2022-23088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD's net80211 kernel subsystem provides infrastru
No detection rules found.
No public exploits indexed.
2024-02-15
Published