CVE-2024-26892: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix use-after-free in free_irq() From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. BUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x1f/0x190 ? mt7921_irq_handler+0xd8/0x100 [mt7921e] ? mt7921_irq_handler+0xd8/0x100 [mt7921e] kasan_report.cold+0x7f/0x11b ? mt7921_irq_handler+0xd8/0x100 [mt7921e] mt7921_irq_handler+0xd8/0x100 [mt7921e] free_irq+0x627/0xaa0 devm_free_irq+0x94/0xd0 ? devm_request_any_context_irq+0x160/0x160 ? kobject_put+0x18d/0x4a0 mt7921_pci_remove+0x153/0x190 [mt7921e] pci_device_remove+0xa2/0x1d0 __device_release_driver+0x346/0x6e0 driver_detach+0x1ef/0x2c0 bus_remove_driver+0xe7/0x2d0 ? __check_object_size+0x57/0x310 pci_unregister_driver+0x26/0x250 __do_sys_delete_module+0x307/0x510 ? free_module+0x6a0/0x6a0 ? fpregs_assert_state_consistent+0x4b/0xb0 ? rcu_read_lock_sched_held+0x10/0x70 ? syscall_enter_from_user_mode+0x20/0x70 ? trace_hardirqs_on+0x1c/0x130 do_syscall_64+0x5c/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 ? do_syscall_64+0x68/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2024-26892 is a use-after-free vulnerability identified in the Linux kernel's mt76 wireless driver, specifically affecting the mt7921e device. The flaw arises in the handling of shared interrupt requests (IRQs) during device removal. After deregistration of the device's IRQ handler, the kernel fails to properly mark the device as removed, leading to potential access of freed memory when the IRQ handler is unexpectedly invoked. This results in a use-after-free condition detected by Kernel Address Sanitizer (KASAN), which can cause kernel crashes or undefined behavior. The vulnerability is rooted in the mt7921_irq_handler function, where the driver does not adequately prevent access to resources after the device has been removed, as indicated by the absence of the MT76_REMOVED flag. The issue was introduced in commit a304e1b82808 and affects Linux kernel versions containing specific commits listed in the affectedVersions field. Exploitation would require triggering the removal of the affected wireless device module (rmmod) while the IRQ handler is still active, potentially leading to kernel memory corruption. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is significant because it affects the kernel's wireless networking stack, which is critical for device connectivity and system stability.
Potential Impact
For European organizations, the impact of CVE-2024-26892 could be substantial, especially for those relying heavily on Linux-based systems with mt7921e wireless hardware, such as laptops, embedded devices, or servers with wireless capabilities. Exploitation could lead to kernel crashes (denial of service), system instability, or potentially privilege escalation if combined with other vulnerabilities, thereby compromising confidentiality, integrity, and availability of systems. This can disrupt business operations, particularly in sectors like finance, healthcare, and critical infrastructure where wireless connectivity is integral. Additionally, organizations using Linux in IoT or industrial control environments could face operational disruptions. Given the kernel-level nature of the flaw, successful exploitation could allow attackers to bypass security controls and gain persistent access or cause system outages.
Mitigation Recommendations
To mitigate this vulnerability, organizations should promptly apply the official Linux kernel patches that address the use-after-free in the mt7921e driver by ensuring the MT76_REMOVED flag is correctly set during device removal. System administrators should monitor kernel updates from trusted Linux distributions and prioritize upgrading to patched kernel versions. Additionally, disabling or unloading the mt7921e wireless driver on systems where it is not required can reduce exposure. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network segmentation and limiting user privileges to prevent unauthorized module removal (rmmod) can also reduce exploitation risk. Finally, organizations should maintain robust monitoring for unusual kernel crashes or system instability that could indicate exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26892: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix use-after-free in free_irq() From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. BUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x1f/0x190 ? mt7921_irq_handler+0xd8/0x100 [mt7921e] ? mt7921_irq_handler+0xd8/0x100 [mt7921e] kasan_report.cold+0x7f/0x11b ? mt7921_irq_handler+0xd8/0x100 [mt7921e] mt7921_irq_handler+0xd8/0x100 [mt7921e] free_irq+0x627/0xaa0 devm_free_irq+0x94/0xd0 ? devm_request_any_context_irq+0x160/0x160 ? kobject_put+0x18d/0x4a0 mt7921_pci_remove+0x153/0x190 [mt7921e] pci_device_remove+0xa2/0x1d0 __device_release_driver+0x346/0x6e0 driver_detach+0x1ef/0x2c0 bus_remove_driver+0xe7/0x2d0 ? __check_object_size+0x57/0x310 pci_unregister_driver+0x26/0x250 __do_sys_delete_module+0x307/0x510 ? free_module+0x6a0/0x6a0 ? fpregs_assert_state_consistent+0x4b/0xb0 ? rcu_read_lock_sched_held+0x10/0x70 ? syscall_enter_from_user_mode+0x20/0x70 ? trace_hardirqs_on+0x1c/0x130 do_syscall_64+0x5c/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 ? do_syscall_64+0x68/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2024-26892 is a use-after-free vulnerability identified in the Linux kernel's mt76 wireless driver, specifically affecting the mt7921e device. The flaw arises in the handling of shared interrupt requests (IRQs) during device removal. After deregistration of the device's IRQ handler, the kernel fails to properly mark the device as removed, leading to potential access of freed memory when the IRQ handler is unexpectedly invoked. This results in a use-after-free condition detected by Kernel Address Sanitizer (KASAN), which can cause kernel crashes or undefined behavior. The vulnerability is rooted in the mt7921_irq_handler function, where the driver does not adequately prevent access to resources after the device has been removed, as indicated by the absence of the MT76_REMOVED flag. The issue was introduced in commit a304e1b82808 and affects Linux kernel versions containing specific commits listed in the affectedVersions field. Exploitation would require triggering the removal of the affected wireless device module (rmmod) while the IRQ handler is still active, potentially leading to kernel memory corruption. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is significant because it affects the kernel's wireless networking stack, which is critical for device connectivity and system stability.
Potential Impact
For European organizations, the impact of CVE-2024-26892 could be substantial, especially for those relying heavily on Linux-based systems with mt7921e wireless hardware, such as laptops, embedded devices, or servers with wireless capabilities. Exploitation could lead to kernel crashes (denial of service), system instability, or potentially privilege escalation if combined with other vulnerabilities, thereby compromising confidentiality, integrity, and availability of systems. This can disrupt business operations, particularly in sectors like finance, healthcare, and critical infrastructure where wireless connectivity is integral. Additionally, organizations using Linux in IoT or industrial control environments could face operational disruptions. Given the kernel-level nature of the flaw, successful exploitation could allow attackers to bypass security controls and gain persistent access or cause system outages.
Mitigation Recommendations
To mitigate this vulnerability, organizations should promptly apply the official Linux kernel patches that address the use-after-free in the mt7921e driver by ensuring the MT76_REMOVED flag is correctly set during device removal. System administrators should monitor kernel updates from trusted Linux distributions and prioritize upgrading to patched kernel versions. Additionally, disabling or unloading the mt7921e wireless driver on systems where it is not required can reduce exposure. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network segmentation and limiting user privileges to prevent unauthorized module removal (rmmod) can also reduce exploitation risk. Finally, organizations should maintain robust monitoring for unusual kernel crashes or system instability that could indicate exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.186Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddb36
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:41:35 AM
Last updated: 8/4/2025, 5:50:21 AM
Views: 18
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.