CVE-2024-43911: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL dereference at band check in starting tx ba session In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink. Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 9890.526102] #PF: supervisor read access in kernel mode [ 9890.526105] #PF: error_code(0x0000) - not-present page [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1 [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018 [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core] [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873 [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70 [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000 [ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000 [ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Call Trace: [ 9890.526324] <TASK> [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator ---truncated---
AI Analysis
Technical Summary
CVE-2024-43911 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of starting a TX Block Acknowledgement (BA) session. The flaw arises from a NULL pointer dereference during a band check when initiating a TX BA session. The root cause is linked to the handling of Multi-Link Device (MLD) connections where link_data and link_conf structures are dynamically allocated and do not point to vif->bss_conf. Consequently, the channel request (chanreq) is not assigned to vif->bss_conf, leading to a NULL channel pointer. When the kernel code attempts to check capabilities such as ht_supported, vht_supported, has_he, or has_eht on the station's default link, it dereferences a NULL pointer, causing a kernel crash (NULL pointer dereference). This vulnerability was observed in the rtw89 wireless driver under MLO development, but it affects the mac80211 subsystem broadly. The crash logs show a kernel oops triggered by the faulty dereference, which can cause system instability or denial of service. The vulnerability is rooted in improper validation and pointer management within the wireless networking stack of the Linux kernel, affecting versions prior to the patch. No public exploits are known at this time, and no CVSS score has been assigned yet. The issue is technical and specific to the wireless networking code, particularly in environments using MLD and advanced Wi-Fi features.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled, especially those utilizing advanced Wi-Fi features like Multi-Link Operation (MLO). The impact includes potential denial of service due to kernel crashes triggered by malformed or unexpected wireless traffic or conditions. This can disrupt critical network connectivity, affecting business operations, especially in environments relying on Linux-based infrastructure for wireless access points, routers, or endpoint devices. Confidentiality and integrity impacts are less direct, as the vulnerability causes crashes rather than privilege escalation or data leakage. However, repeated crashes or induced downtime could be exploited to degrade service availability. Organizations with Linux-based wireless infrastructure or embedded devices in operational technology (OT) or industrial control systems could face operational disruptions. Given the kernel-level nature, recovery may require system reboots and patching, impacting availability and operational continuity.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-43911 once available from trusted sources or Linux distributions. 2. For environments where patching is delayed, consider disabling or limiting the use of advanced wireless features such as MLO or Multi-Link Device support until patched. 3. Implement network segmentation to isolate vulnerable Linux wireless devices from critical infrastructure to limit potential impact of crashes. 4. Monitor kernel logs and wireless subsystem logs for signs of crashes or anomalies related to TX BA session initiation. 5. Employ intrusion detection systems capable of detecting abnormal wireless traffic patterns that could trigger the vulnerability. 6. Maintain updated inventories of Linux kernel versions in use across wireless infrastructure to prioritize patching. 7. For embedded or specialized devices, coordinate with vendors for firmware updates addressing this vulnerability. 8. Conduct controlled testing of patches in staging environments to ensure stability before wide deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-43911: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL dereference at band check in starting tx ba session In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink. Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 9890.526102] #PF: supervisor read access in kernel mode [ 9890.526105] #PF: error_code(0x0000) - not-present page [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1 [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018 [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core] [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873 [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70 [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000 [ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000 [ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Call Trace: [ 9890.526324] <TASK> [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-43911 is a vulnerability identified in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of starting a TX Block Acknowledgement (BA) session. The flaw arises from a NULL pointer dereference during a band check when initiating a TX BA session. The root cause is linked to the handling of Multi-Link Device (MLD) connections where link_data and link_conf structures are dynamically allocated and do not point to vif->bss_conf. Consequently, the channel request (chanreq) is not assigned to vif->bss_conf, leading to a NULL channel pointer. When the kernel code attempts to check capabilities such as ht_supported, vht_supported, has_he, or has_eht on the station's default link, it dereferences a NULL pointer, causing a kernel crash (NULL pointer dereference). This vulnerability was observed in the rtw89 wireless driver under MLO development, but it affects the mac80211 subsystem broadly. The crash logs show a kernel oops triggered by the faulty dereference, which can cause system instability or denial of service. The vulnerability is rooted in improper validation and pointer management within the wireless networking stack of the Linux kernel, affecting versions prior to the patch. No public exploits are known at this time, and no CVSS score has been assigned yet. The issue is technical and specific to the wireless networking code, particularly in environments using MLD and advanced Wi-Fi features.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled, especially those utilizing advanced Wi-Fi features like Multi-Link Operation (MLO). The impact includes potential denial of service due to kernel crashes triggered by malformed or unexpected wireless traffic or conditions. This can disrupt critical network connectivity, affecting business operations, especially in environments relying on Linux-based infrastructure for wireless access points, routers, or endpoint devices. Confidentiality and integrity impacts are less direct, as the vulnerability causes crashes rather than privilege escalation or data leakage. However, repeated crashes or induced downtime could be exploited to degrade service availability. Organizations with Linux-based wireless infrastructure or embedded devices in operational technology (OT) or industrial control systems could face operational disruptions. Given the kernel-level nature, recovery may require system reboots and patching, impacting availability and operational continuity.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-43911 once available from trusted sources or Linux distributions. 2. For environments where patching is delayed, consider disabling or limiting the use of advanced wireless features such as MLO or Multi-Link Device support until patched. 3. Implement network segmentation to isolate vulnerable Linux wireless devices from critical infrastructure to limit potential impact of crashes. 4. Monitor kernel logs and wireless subsystem logs for signs of crashes or anomalies related to TX BA session initiation. 5. Employ intrusion detection systems capable of detecting abnormal wireless traffic patterns that could trigger the vulnerability. 6. Maintain updated inventories of Linux kernel versions in use across wireless infrastructure to prioritize patching. 7. For embedded or specialized devices, coordinate with vendors for firmware updates addressing this vulnerability. 8. Conduct controlled testing of patches in staging environments to ensure stability before wide deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.295Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec02d
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 5:26:44 PM
Last updated: 7/30/2025, 10:42:10 AM
Views: 11
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.