CRITICAL🇵🇱 Wersja polska

CVE-2022-23088

CVSS 9.8v3.1pub. 2024-02-15upd. 2025-06-04

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

🤖 AI Analysis
How it works

The vulnerability is caused by a failure to verify the length of the IEEE 802.11s Mesh ID field in a beacon frame before copying it to a buffer allocated on the kernel heap. When FreeBSD operates in wireless network scanning mode (i.e., not connected to any SSID), it processes received beacon frames from its surroundings. An attacker can broadcast a maliciously crafted beacon frame containing an excessively long Mesh ID field, leading to a heap-based buffer overflow and overwriting critical kernel data structures. The consequence is the ability to execute arbitrary code remotely in the kernel context of the operating system.

Impact

An attacker within wireless network range can gain full control of the system through RCE in kernel space, meaning the ability to compromise the confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Apply patches available from the vendor in accordance with the references — see FreeBSD advisory FreeBSD-SA-22:07.wifi_meshid available at https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc. As a temporary measure, consider disabling Wi-Fi interfaces or avoiding network scanning mode on vulnerable systems.

Who is affected

FreeBSD — versions indicated in the vendor's references (advisory FreeBSD-SA-22:07.wifi_meshid)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Freebsd

    OS
    Freebsd
    12.313.013.1< 12.312.4 – 13.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-43102CRITICAL10.0PL ✓ten sam produkt

FreeBSD UMTX_SHM_DESTROY: use-after-free umożliwiający RCE lub ucieczkę z sandboxa

CVE-2024-29937CRITICAL9.8PL ✓ten sam produkt

RCE w implementacji NFS w OpenBSD i FreeBSD — zdalne wykonanie kodu

CVE-2023-5941CRITICAL9.8ten sam produkt

In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5...

CVE-2023-3326CRITICAL9.8ten sam produkt

pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket...

CVE-2020-25577CRITICAL9.8ten sam produkt

In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before...