CVE-2024-40912: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock.
AI Analysis
Technical Summary
CVE-2024-40912 is a concurrency vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically within the ieee80211_sta_ps_deliver_wakeup() function. This function is responsible for managing power-saving wakeup sequences for Wi-Fi stations. The vulnerability arises because ieee80211_sta_ps_deliver_wakeup() uses a spin_lock() to acquire the sta->ps_lock, which is intended to synchronize with ieee80211_tx_h_unicast_ps_buf() called from softirq context. However, spin_lock() alone does not prevent the softirq from executing on the same CPU while the lock is held, leading to a deadlock scenario. This deadlock manifests as an RCU (Read-Copy-Update) stall detected by the kernel, causing the CPU to hang waiting indefinitely for the lock to be released. The root cause is that ieee80211_tx_h_unicast_ps_buf() attempts to acquire the same lock while it is already held by ieee80211_sta_ps_deliver_wakeup(), but since softirqs can run on the same CPU, this results in a circular wait. The fix involves replacing spin_lock() with spin_lock_bh()/spin_unlock_bh(), which disables bottom halves (including softirqs) on the local CPU while the lock is held, preventing the softirq from running and thus avoiding the deadlock. This vulnerability affects multiple Linux kernel versions as indicated by the commit hashes listed, and impacts systems using the mac80211 Wi-Fi stack. Although no known exploits are reported in the wild, the issue can cause system hangs or stalls, impacting availability of wireless networking services. The vulnerability is rooted in kernel-level synchronization primitives and affects the core wireless networking functionality, making it relevant for any Linux-based system using mac80211 drivers, including servers, desktops, and embedded devices with Wi-Fi capabilities.
Potential Impact
For European organizations, the impact of CVE-2024-40912 can be significant, particularly for those relying on Linux-based infrastructure with wireless connectivity. The deadlock leads to CPU stalls and system hangs, which can disrupt critical network services, causing downtime and loss of productivity. Organizations in sectors such as telecommunications, manufacturing, healthcare, and finance that utilize Linux servers or embedded devices with Wi-Fi may experience degraded network performance or outages. In environments where wireless connectivity is essential for operational continuity, such as remote monitoring or IoT deployments, this vulnerability could lead to service interruptions. Additionally, the kernel stalls may complicate incident response and system recovery, increasing operational costs. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact alone can be disruptive. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a broad risk. Moreover, the potential for denial-of-service conditions in critical infrastructure could have cascading effects on dependent services and users.
Mitigation Recommendations
To mitigate CVE-2024-40912, European organizations should prioritize applying the official Linux kernel patches that replace spin_lock() with spin_lock_bh() in the ieee80211_sta_ps_deliver_wakeup() function. Kernel updates containing this fix should be deployed promptly across all affected systems, especially those with active Wi-Fi interfaces using the mac80211 stack. Organizations should: 1) Identify all Linux systems running affected kernel versions and verify if mac80211-based Wi-Fi drivers are in use. 2) Test and deploy updated kernel versions from trusted Linux distributions or compile kernels with the patch applied. 3) For embedded or specialized devices, coordinate with vendors to obtain patched firmware or kernel updates. 4) Monitor system logs for RCU stall messages or symptoms of deadlocks as early indicators of the issue. 5) Implement network segmentation and redundancy to minimize impact if a system becomes unresponsive. 6) Consider temporarily disabling Wi-Fi interfaces on critical systems where feasible until patches are applied. 7) Maintain robust backup and recovery procedures to restore systems quickly if hangs occur. These steps go beyond generic advice by focusing on targeted patching, proactive detection, and operational continuity planning specific to this kernel-level deadlock.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40912: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock.
AI-Powered Analysis
Technical Analysis
CVE-2024-40912 is a concurrency vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically within the ieee80211_sta_ps_deliver_wakeup() function. This function is responsible for managing power-saving wakeup sequences for Wi-Fi stations. The vulnerability arises because ieee80211_sta_ps_deliver_wakeup() uses a spin_lock() to acquire the sta->ps_lock, which is intended to synchronize with ieee80211_tx_h_unicast_ps_buf() called from softirq context. However, spin_lock() alone does not prevent the softirq from executing on the same CPU while the lock is held, leading to a deadlock scenario. This deadlock manifests as an RCU (Read-Copy-Update) stall detected by the kernel, causing the CPU to hang waiting indefinitely for the lock to be released. The root cause is that ieee80211_tx_h_unicast_ps_buf() attempts to acquire the same lock while it is already held by ieee80211_sta_ps_deliver_wakeup(), but since softirqs can run on the same CPU, this results in a circular wait. The fix involves replacing spin_lock() with spin_lock_bh()/spin_unlock_bh(), which disables bottom halves (including softirqs) on the local CPU while the lock is held, preventing the softirq from running and thus avoiding the deadlock. This vulnerability affects multiple Linux kernel versions as indicated by the commit hashes listed, and impacts systems using the mac80211 Wi-Fi stack. Although no known exploits are reported in the wild, the issue can cause system hangs or stalls, impacting availability of wireless networking services. The vulnerability is rooted in kernel-level synchronization primitives and affects the core wireless networking functionality, making it relevant for any Linux-based system using mac80211 drivers, including servers, desktops, and embedded devices with Wi-Fi capabilities.
Potential Impact
For European organizations, the impact of CVE-2024-40912 can be significant, particularly for those relying on Linux-based infrastructure with wireless connectivity. The deadlock leads to CPU stalls and system hangs, which can disrupt critical network services, causing downtime and loss of productivity. Organizations in sectors such as telecommunications, manufacturing, healthcare, and finance that utilize Linux servers or embedded devices with Wi-Fi may experience degraded network performance or outages. In environments where wireless connectivity is essential for operational continuity, such as remote monitoring or IoT deployments, this vulnerability could lead to service interruptions. Additionally, the kernel stalls may complicate incident response and system recovery, increasing operational costs. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact alone can be disruptive. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a broad risk. Moreover, the potential for denial-of-service conditions in critical infrastructure could have cascading effects on dependent services and users.
Mitigation Recommendations
To mitigate CVE-2024-40912, European organizations should prioritize applying the official Linux kernel patches that replace spin_lock() with spin_lock_bh() in the ieee80211_sta_ps_deliver_wakeup() function. Kernel updates containing this fix should be deployed promptly across all affected systems, especially those with active Wi-Fi interfaces using the mac80211 stack. Organizations should: 1) Identify all Linux systems running affected kernel versions and verify if mac80211-based Wi-Fi drivers are in use. 2) Test and deploy updated kernel versions from trusted Linux distributions or compile kernels with the patch applied. 3) For embedded or specialized devices, coordinate with vendors to obtain patched firmware or kernel updates. 4) Monitor system logs for RCU stall messages or symptoms of deadlocks as early indicators of the issue. 5) Implement network segmentation and redundancy to minimize impact if a system becomes unresponsive. 6) Consider temporarily disabling Wi-Fi interfaces on critical systems where feasible until patches are applied. 7) Maintain robust backup and recovery procedures to restore systems quickly if hangs occur. These steps go beyond generic advice by focusing on targeted patching, proactive detection, and operational continuity planning specific to this kernel-level deadlock.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.581Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdde8b
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:10:37 AM
Last updated: 8/14/2025, 6:37:17 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.