Redhat Enterprise Linux 6.0 Overflow Vulnerability


A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.


The information has been provided by Pedro Sampaio 

The original article can be found at:


he problem is inside mwifiex_update_bss_desc_with_ie function in drivers/net/wireless/marvell/mwifiex/scan.c.

When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function, the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES element,it does not check the length of rates data before calling memcpy,the dst buffer bss_entry->data_rates is a array with size

Remote attacker can build a fakeAP sending malicous beacon packet with long WLAN_EID_SUPP_RATES element(element_len>14),when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.


Vulnerable Systems:

  • Redhat Enterprise Linux 6.0
  • Redhat Enterprise Linux 7.0
  • Redhat Enterprise Linux 8.0

CVE Information:


Disclosure Timeline:
Publish Date:06/03/2019

Categories: News