CVE-2024-35811: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
AI Analysis
Technical Summary
CVE-2024-35811 is a use-after-free vulnerability in the Linux kernel's Broadcom wireless driver (brcmfmac), specifically within the brcmf_cfg80211_detach function. The vulnerability arises during the USB hotplug disconnect sequence of the Broadcom wireless device. When the USB device is disconnected, the driver initiates a cleanup process that frees the memory structure 'cfg' used by the wireless driver. However, a timeout worker function (brcmf_cfg80211_escan_timeout_worker), which is scheduled during the initialization of the wireless scanning functionality, may still be running concurrently. This worker accesses the 'cfg' structure after it has been freed, leading to a use-after-free condition. This can cause undefined behavior including kernel crashes, memory corruption, or potentially arbitrary code execution in kernel context. The root cause is the lack of proper synchronization and cancellation of the timeout worker before freeing the associated memory during device detachment. The fix involves deleting the timer and canceling the worker thread before freeing the 'cfg' structure, ensuring no concurrent access occurs post-free. This vulnerability is related to the brcm80211 driver stack and affects Linux kernel versions containing the vulnerable commit identified by the hash e756af5b30b008f6ffcfebf8ad0b477f6f225b62. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected Broadcom wireless driver versions, especially those using USB-connected Broadcom Wi-Fi devices. The use-after-free bug can lead to system instability or crashes, potentially causing denial of service on critical infrastructure or endpoints. More severely, if exploited, it could allow an attacker with local access or the ability to trigger USB device disconnect events to execute arbitrary code in kernel mode, compromising system confidentiality and integrity. This is particularly concerning for organizations relying on Linux-based servers, embedded devices, or workstations with Broadcom wireless hardware. Given the widespread use of Linux in enterprise environments, including cloud infrastructure and IoT devices, the vulnerability could impact network reliability and security. However, exploitation requires triggering USB hotplug events and timing the worker execution, which may limit remote exploitation scenarios. Still, insider threats or malicious USB devices could leverage this flaw. The vulnerability also affects the availability of services dependent on wireless connectivity, which could disrupt business operations.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-35811 by ensuring their systems are updated to kernel versions containing the fix. Specifically, the patch cancels the timeout worker and deletes the timer before freeing memory during device detachment. Organizations should audit their Linux systems to identify those using Broadcom USB wireless devices and verify kernel versions against the fixed commit. For environments where immediate patching is not feasible, temporary mitigations include disabling USB hotplug functionality for Broadcom wireless devices or unloading the brcmfmac driver when not in use to prevent triggering the vulnerability. Additionally, implementing strict USB device control policies can reduce the risk of malicious USB device insertion or disconnection events. Monitoring kernel logs for unusual USB disconnects or driver errors may help detect attempted exploitation. Finally, organizations should maintain robust endpoint security controls and limit local user privileges to reduce the attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-35811: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
AI-Powered Analysis
Technical Analysis
CVE-2024-35811 is a use-after-free vulnerability in the Linux kernel's Broadcom wireless driver (brcmfmac), specifically within the brcmf_cfg80211_detach function. The vulnerability arises during the USB hotplug disconnect sequence of the Broadcom wireless device. When the USB device is disconnected, the driver initiates a cleanup process that frees the memory structure 'cfg' used by the wireless driver. However, a timeout worker function (brcmf_cfg80211_escan_timeout_worker), which is scheduled during the initialization of the wireless scanning functionality, may still be running concurrently. This worker accesses the 'cfg' structure after it has been freed, leading to a use-after-free condition. This can cause undefined behavior including kernel crashes, memory corruption, or potentially arbitrary code execution in kernel context. The root cause is the lack of proper synchronization and cancellation of the timeout worker before freeing the associated memory during device detachment. The fix involves deleting the timer and canceling the worker thread before freeing the 'cfg' structure, ensuring no concurrent access occurs post-free. This vulnerability is related to the brcm80211 driver stack and affects Linux kernel versions containing the vulnerable commit identified by the hash e756af5b30b008f6ffcfebf8ad0b477f6f225b62. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected Broadcom wireless driver versions, especially those using USB-connected Broadcom Wi-Fi devices. The use-after-free bug can lead to system instability or crashes, potentially causing denial of service on critical infrastructure or endpoints. More severely, if exploited, it could allow an attacker with local access or the ability to trigger USB device disconnect events to execute arbitrary code in kernel mode, compromising system confidentiality and integrity. This is particularly concerning for organizations relying on Linux-based servers, embedded devices, or workstations with Broadcom wireless hardware. Given the widespread use of Linux in enterprise environments, including cloud infrastructure and IoT devices, the vulnerability could impact network reliability and security. However, exploitation requires triggering USB hotplug events and timing the worker execution, which may limit remote exploitation scenarios. Still, insider threats or malicious USB devices could leverage this flaw. The vulnerability also affects the availability of services dependent on wireless connectivity, which could disrupt business operations.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-35811 by ensuring their systems are updated to kernel versions containing the fix. Specifically, the patch cancels the timeout worker and deletes the timer before freeing memory during device detachment. Organizations should audit their Linux systems to identify those using Broadcom USB wireless devices and verify kernel versions against the fixed commit. For environments where immediate patching is not feasible, temporary mitigations include disabling USB hotplug functionality for Broadcom wireless devices or unloading the brcmfmac driver when not in use to prevent triggering the vulnerability. Additionally, implementing strict USB device control policies can reduce the risk of malicious USB device insertion or disconnection events. Monitoring kernel logs for unusual USB disconnects or driver errors may help detect attempted exploitation. Finally, organizations should maintain robust endpoint security controls and limit local user privileges to reduce the attack surface.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.342Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3535
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:10:50 PM
Last updated: 7/28/2025, 11:16:39 PM
Views: 10
Related Threats
CVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-31961: CWE-1220 Insufficient Granularity of Access Control in HCL Software Connections
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.