We uncovered five vulnerabilities in Linux's Wi-Fi stack, partially dating back to version 5.1 from May 2019. As the Android kernel shares parts of the same stack, we expect it is also affected by three of these five weaknesses.
The vulnerabilities can easily be exploited over the air, leading to denial of service. We suspect that a sophisticated attacker might be able to turn these vulnerabilities into a remote code execution attack. As we found the issues in the Beacon frame parsing, the victims' device must just be scanning for networks, and an attack requires no additional user interaction. Several online media sites cover our findings (heise, Linux Magazin, Phoronix, computing).
Soenke Huster was invited to discuss the findings and his research for an episode of the German podcast Risikozone, which is available here.
Patches are included in the newest kernel stable releases v6.0.2 and v5.15.74. We recommend installing the latest updates as soon as possible.