CVE-2022-47521: 
Linux Kernel vulnerability analysis and mitigation

An issue was discovered in the Linux kernel before 6.0.11 related to missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver. The vulnerability was disclosed on December 18, 2022, and affects the Atmel WILC1000 driver in the Linux kernel (NVD, Ubuntu).

The vulnerability stems from improper validation of specific attributes in the WILC1000 wireless driver, specifically in the handling of the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute. The issue can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames. The vulnerability has been assigned a CVSS 3.1 score of 7.8 (High), with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp).

The exploitation of this vulnerability could lead to multiple severe consequences including denial of service (system crash), potential execution of arbitrary code, and possible information disclosure. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (Ubuntu, NetApp).

The vulnerability has been fixed in Linux kernel version 6.0.11 and later. Various distributions have released patches, including Ubuntu which has fixed the issue in versions 5.19.0-35.36 for 22.10 and 5.15.0-67.74 for 22.04 LTS. The fix involves adding proper validation of the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute length (GitHub, Ubuntu).