CVE-2024-46755: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid="somessid" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk="12345678" } When waiting for the AP to be established, interrupting wpa_supplicant with <ctrl-c> and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---
AI Analysis
Technical Summary
CVE-2024-46755 is a vulnerability identified in the Linux kernel's mwifiex wireless driver component. The flaw arises from the function mwifiex_get_priv_by_id(), which is responsible for returning a private data pointer (priv) corresponding to specific BSS (Basic Service Set) identifiers such as bss_num and bss_type. The vulnerability occurs because the function does not verify whether the returned priv pointer is currently in use. Specifically, unused priv pointers lack an associated wiphy (wireless physical device) structure, which leads to a NULL pointer dereference when subsequent kernel code attempts to access wiphy-related data. This NULL pointer dereference can cause a kernel oops or crash, resulting in denial of service (DoS) conditions. The issue manifests when an access point is started using wpa_supplicant with a particular configuration, and the process is interrupted and restarted, triggering the dereference. The kernel logs show an inability to handle the NULL pointer dereference, with detailed stack traces pointing to the mwifiex_get_cfp() function and related event processing routines within the mwifiex driver. The root cause is that mwifiex_get_priv_by_id() returns priv pointers without checking if priv->bss_mode is set to a valid mode other than NL80211_IFTYPE_UNSPECIFIED, which indicates an unused interface. The fix involves modifying mwifiex_get_priv_by_id() to return only priv pointers that are actively in use, thus preventing NULL pointer dereferences downstream. This vulnerability affects Linux kernel versions containing the vulnerable mwifiex driver code prior to the patch. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the vulnerable mwifiex wireless driver, especially those using wireless access points or client devices relying on mwifiex for Wi-Fi connectivity. The impact is mainly a denial of service condition caused by kernel crashes due to NULL pointer dereferences. This can disrupt network connectivity, degrade service availability, and potentially cause system instability or require reboots. Critical infrastructure, enterprises, and service providers using embedded Linux devices or IoT equipment with mwifiex-based Wi-Fi modules could experience operational interruptions. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting DoS could be leveraged in targeted attacks to disrupt services or cause outages. Given the widespread use of Linux in servers, networking equipment, and embedded devices across Europe, the vulnerability could affect a broad range of sectors including telecommunications, manufacturing, and public services. However, exploitation requires specific conditions such as starting/stopping access points with wpa_supplicant and interrupting processes, which somewhat limits the attack surface to local or administrative users.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes the mwifiex_get_priv_by_id() function to properly validate priv pointers. For embedded devices or appliances where kernel updates are not immediately feasible, consider disabling or restricting the use of mwifiex wireless interfaces if they are not essential. Network administrators should monitor logs for kernel oops or crashes related to mwifiex and implement process controls to avoid interrupting wpa_supplicant or similar services in a manner that triggers the vulnerability. Additionally, applying strict access controls to limit who can start or stop wireless interfaces reduces the risk of accidental or malicious triggering. Organizations should also conduct audits of devices using mwifiex drivers to identify vulnerable systems and plan for timely patch deployment. Employing kernel crash monitoring and automated recovery mechanisms can help mitigate operational impact. Finally, vendors and integrators should be engaged to ensure firmware and kernel updates are delivered promptly for affected hardware platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-46755: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid="somessid" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk="12345678" } When waiting for the AP to be established, interrupting wpa_supplicant with <ctrl-c> and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---
AI-Powered Analysis
Technical Analysis
CVE-2024-46755 is a vulnerability identified in the Linux kernel's mwifiex wireless driver component. The flaw arises from the function mwifiex_get_priv_by_id(), which is responsible for returning a private data pointer (priv) corresponding to specific BSS (Basic Service Set) identifiers such as bss_num and bss_type. The vulnerability occurs because the function does not verify whether the returned priv pointer is currently in use. Specifically, unused priv pointers lack an associated wiphy (wireless physical device) structure, which leads to a NULL pointer dereference when subsequent kernel code attempts to access wiphy-related data. This NULL pointer dereference can cause a kernel oops or crash, resulting in denial of service (DoS) conditions. The issue manifests when an access point is started using wpa_supplicant with a particular configuration, and the process is interrupted and restarted, triggering the dereference. The kernel logs show an inability to handle the NULL pointer dereference, with detailed stack traces pointing to the mwifiex_get_cfp() function and related event processing routines within the mwifiex driver. The root cause is that mwifiex_get_priv_by_id() returns priv pointers without checking if priv->bss_mode is set to a valid mode other than NL80211_IFTYPE_UNSPECIFIED, which indicates an unused interface. The fix involves modifying mwifiex_get_priv_by_id() to return only priv pointers that are actively in use, thus preventing NULL pointer dereferences downstream. This vulnerability affects Linux kernel versions containing the vulnerable mwifiex driver code prior to the patch. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the vulnerable mwifiex wireless driver, especially those using wireless access points or client devices relying on mwifiex for Wi-Fi connectivity. The impact is mainly a denial of service condition caused by kernel crashes due to NULL pointer dereferences. This can disrupt network connectivity, degrade service availability, and potentially cause system instability or require reboots. Critical infrastructure, enterprises, and service providers using embedded Linux devices or IoT equipment with mwifiex-based Wi-Fi modules could experience operational interruptions. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting DoS could be leveraged in targeted attacks to disrupt services or cause outages. Given the widespread use of Linux in servers, networking equipment, and embedded devices across Europe, the vulnerability could affect a broad range of sectors including telecommunications, manufacturing, and public services. However, exploitation requires specific conditions such as starting/stopping access points with wpa_supplicant and interrupting processes, which somewhat limits the attack surface to local or administrative users.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes the mwifiex_get_priv_by_id() function to properly validate priv pointers. For embedded devices or appliances where kernel updates are not immediately feasible, consider disabling or restricting the use of mwifiex wireless interfaces if they are not essential. Network administrators should monitor logs for kernel oops or crashes related to mwifiex and implement process controls to avoid interrupting wpa_supplicant or similar services in a manner that triggers the vulnerability. Additionally, applying strict access controls to limit who can start or stop wireless interfaces reduces the risk of accidental or malicious triggering. Organizations should also conduct audits of devices using mwifiex drivers to identify vulnerable systems and plan for timely patch deployment. Employing kernel crash monitoring and automated recovery mechanisms can help mitigate operational impact. Finally, vendors and integrators should be engaged to ensure firmware and kernel updates are delivered promptly for affected hardware platforms.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.270Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe11ec
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:24:38 AM
Last updated: 8/1/2025, 6:22:18 AM
Views: 12
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.