CVE-2024-26895: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/
AI Analysis
Technical Summary
CVE-2024-26895 is a use-after-free vulnerability identified in the Linux kernel's wireless driver for the WILC1000 WiFi chipset (wilc1000). The flaw occurs in the function wilc_netdev_cleanup, which is responsible for cleaning up network interfaces (vif) during device unbinding or module removal. Specifically, the vulnerability arises when the driver attempts to unregister net devices while traversing the vif list. Because the netdevice object is freed upon unregistration (due to the needs_free_netdev flag), the associated vif object, which is stored as private data within the netdevice, is also freed. However, the traversal loop continues to access the freed vif pointer, leading to a use-after-free condition. This is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free error. The root cause is improper list traversal and synchronization during vif removal. The fix involves two key mechanisms: (1) using list_for_each_entry_safe to safely iterate and modify the vif list, removing elements with list_del_rcu, and (2) waiting for the Read-Copy-Update (RCU) grace period to ensure safe freeing of vif objects after unregister_netdev calls. The vulnerability is triggered during interface registration errors or when unbinding the wilc1000_spi driver, which is used primarily on embedded systems with Atmel SAMA5 hardware. While no known exploits are reported in the wild, the flaw could lead to kernel crashes or potential escalation of privileges if exploited, as use-after-free bugs can be leveraged for arbitrary code execution in kernel context. The vulnerability affects Linux kernel versions containing the wilc1000 driver prior to the fix applied in kernel version 6.8.0-rc1+ and related commits. The issue was initially investigated by David Mosberger-Tan and publicly disclosed in April 2024.
Potential Impact
For European organizations, the impact of CVE-2024-26895 depends largely on their use of Linux-based embedded systems or devices that incorporate the WILC1000 WiFi chipset, such as industrial IoT devices, network appliances, or specialized hardware running Linux kernels vulnerable to this flaw. Exploitation could lead to denial of service via kernel crashes or potentially privilege escalation, compromising device integrity and availability. This is particularly critical for sectors relying on embedded Linux devices for operational technology (OT), manufacturing automation, or critical infrastructure, where device stability and security are paramount. Although no public exploits exist yet, the vulnerability's presence in the Linux kernel means that any organization deploying affected devices without timely patching could face increased risk of targeted attacks or malware leveraging this flaw. Additionally, the use-after-free nature of the bug could be a stepping stone for attackers to execute arbitrary code in kernel space, potentially allowing full system compromise. This risk is heightened in environments where devices are exposed to untrusted networks or users. Therefore, European enterprises with embedded Linux deployments or custom Linux kernels incorporating the wilc1000 driver should consider this vulnerability a serious threat to device security and operational continuity.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address the use-after-free in the wilc1000 driver. Organizations should: 1) Identify all devices running Linux kernels with the wilc1000 driver, especially embedded systems using Atmel SAMA5 or similar hardware. 2) Update these devices to Linux kernel versions 6.8.0-rc1+ or later where the fix is integrated, or backport the patch if using older kernel versions. 3) For devices where kernel updates are not immediately feasible, consider disabling or unloading the wilc1000_spi driver module to prevent triggering the vulnerability, recognizing this may impact WiFi functionality. 4) Implement strict access controls to prevent unauthorized unbinding or module removal operations, as these actions trigger the vulnerability. 5) Monitor kernel logs for KASAN warnings or unusual crashes related to wilc_netdev_cleanup to detect potential exploitation attempts. 6) Engage with device vendors to obtain updated firmware or kernel versions that include the fix. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. These steps go beyond generic advice by focusing on embedded device inventory, kernel version management, and operational controls specific to the wilc1000 driver environment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26895: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/
AI-Powered Analysis
Technical Analysis
CVE-2024-26895 is a use-after-free vulnerability identified in the Linux kernel's wireless driver for the WILC1000 WiFi chipset (wilc1000). The flaw occurs in the function wilc_netdev_cleanup, which is responsible for cleaning up network interfaces (vif) during device unbinding or module removal. Specifically, the vulnerability arises when the driver attempts to unregister net devices while traversing the vif list. Because the netdevice object is freed upon unregistration (due to the needs_free_netdev flag), the associated vif object, which is stored as private data within the netdevice, is also freed. However, the traversal loop continues to access the freed vif pointer, leading to a use-after-free condition. This is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free error. The root cause is improper list traversal and synchronization during vif removal. The fix involves two key mechanisms: (1) using list_for_each_entry_safe to safely iterate and modify the vif list, removing elements with list_del_rcu, and (2) waiting for the Read-Copy-Update (RCU) grace period to ensure safe freeing of vif objects after unregister_netdev calls. The vulnerability is triggered during interface registration errors or when unbinding the wilc1000_spi driver, which is used primarily on embedded systems with Atmel SAMA5 hardware. While no known exploits are reported in the wild, the flaw could lead to kernel crashes or potential escalation of privileges if exploited, as use-after-free bugs can be leveraged for arbitrary code execution in kernel context. The vulnerability affects Linux kernel versions containing the wilc1000 driver prior to the fix applied in kernel version 6.8.0-rc1+ and related commits. The issue was initially investigated by David Mosberger-Tan and publicly disclosed in April 2024.
Potential Impact
For European organizations, the impact of CVE-2024-26895 depends largely on their use of Linux-based embedded systems or devices that incorporate the WILC1000 WiFi chipset, such as industrial IoT devices, network appliances, or specialized hardware running Linux kernels vulnerable to this flaw. Exploitation could lead to denial of service via kernel crashes or potentially privilege escalation, compromising device integrity and availability. This is particularly critical for sectors relying on embedded Linux devices for operational technology (OT), manufacturing automation, or critical infrastructure, where device stability and security are paramount. Although no public exploits exist yet, the vulnerability's presence in the Linux kernel means that any organization deploying affected devices without timely patching could face increased risk of targeted attacks or malware leveraging this flaw. Additionally, the use-after-free nature of the bug could be a stepping stone for attackers to execute arbitrary code in kernel space, potentially allowing full system compromise. This risk is heightened in environments where devices are exposed to untrusted networks or users. Therefore, European enterprises with embedded Linux deployments or custom Linux kernels incorporating the wilc1000 driver should consider this vulnerability a serious threat to device security and operational continuity.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address the use-after-free in the wilc1000 driver. Organizations should: 1) Identify all devices running Linux kernels with the wilc1000 driver, especially embedded systems using Atmel SAMA5 or similar hardware. 2) Update these devices to Linux kernel versions 6.8.0-rc1+ or later where the fix is integrated, or backport the patch if using older kernel versions. 3) For devices where kernel updates are not immediately feasible, consider disabling or unloading the wilc1000_spi driver module to prevent triggering the vulnerability, recognizing this may impact WiFi functionality. 4) Implement strict access controls to prevent unauthorized unbinding or module removal operations, as these actions trigger the vulnerability. 5) Monitor kernel logs for KASAN warnings or unusual crashes related to wilc_netdev_cleanup to detect potential exploitation attempts. 6) Engage with device vendors to obtain updated firmware or kernel versions that include the fix. 7) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. These steps go beyond generic advice by focusing on embedded device inventory, kernel version management, and operational controls specific to the wilc1000 driver environment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.186Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3e89
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:57:14 PM
Last updated: 8/8/2025, 11:03:35 AM
Views: 15
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.