CVE-2024-46760: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.
AI Analysis
Technical Summary
CVE-2024-46760 is a vulnerability identified in the Linux kernel's wireless driver subsystem, specifically within the Realtek rtw88 USB Wi-Fi driver. The flaw arises due to a race condition during the initialization sequence of the USB Wi-Fi device driver. The issue occurs because the driver schedules USB receive (rx) work before the hardware (hw) object and its associated fields are fully initialized. This premature scheduling can lead to a NULL pointer dereference in the function rtw_rx_fill_rx_status when it attempts to access uninitialized hardware configuration data, such as the channel definition (chandef). The stack trace indicates that USB responses can be processed asynchronously before the driver completes its setup, causing the NULL dereference and resulting in kernel warnings or crashes. The root cause is that usb_submit_urb, which submits USB requests for data reception, is called before the hardware registration and initialization routines (e.g., ieee80211_register_hw) complete. The fix involves deferring the first usb_submit_urb call until after all hardware setup is finalized to ensure that the driver does not process incoming USB data with incomplete hardware context. This vulnerability affects Linux kernel versions containing the vulnerable rtw88 driver code prior to the patch and can manifest as dropped packets or kernel errors related to NULL pointer dereferences in the Wi-Fi driver. Although no known exploits are reported in the wild, the flaw could potentially be triggered by crafted USB Wi-Fi device traffic or during device initialization, leading to denial of service (DoS) conditions via kernel crashes or instability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the vulnerable rtw88 USB Wi-Fi driver, which is common in many laptops, embedded devices, and IoT equipment using Realtek USB Wi-Fi chipsets. The impact includes potential denial of service due to kernel crashes or instability triggered by the NULL pointer dereference. This could disrupt network connectivity, affecting business operations, especially in environments relying on wireless connectivity for critical services. Additionally, unstable kernel behavior can lead to system reboots or degraded performance, impacting availability. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could be exploited as part of a broader attack chain to disrupt services or cause operational downtime. European organizations with large deployments of Linux-based systems in sectors such as telecommunications, manufacturing, and public infrastructure should be aware of this risk. The vulnerability's exploitation requires local access to the affected device or the ability to influence USB Wi-Fi traffic, which may limit remote exploitation but does not eliminate risk in environments with physical access or compromised internal networks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize updating their Linux kernel to the latest patched version that includes the fix for CVE-2024-46760. Kernel updates should be tested and deployed promptly on all affected systems, especially those using Realtek USB Wi-Fi adapters. For environments where immediate patching is not feasible, consider disabling or removing the vulnerable USB Wi-Fi devices temporarily to prevent exploitation. Network segmentation and strict access controls can reduce the risk by limiting physical or logical access to affected devices. Monitoring kernel logs for signs of rtw88 driver errors or unexpected reboots can help detect attempts to trigger the vulnerability. Additionally, organizations should review their device inventory to identify systems using the rtw88 driver and assess exposure. Employing endpoint security solutions that monitor for unusual kernel activity or device driver faults can provide early warning. Finally, coordinate with hardware vendors for firmware updates or alternative drivers if available, and maintain robust backup and recovery procedures to minimize operational impact in case of DoS incidents.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-46760: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.
AI-Powered Analysis
Technical Analysis
CVE-2024-46760 is a vulnerability identified in the Linux kernel's wireless driver subsystem, specifically within the Realtek rtw88 USB Wi-Fi driver. The flaw arises due to a race condition during the initialization sequence of the USB Wi-Fi device driver. The issue occurs because the driver schedules USB receive (rx) work before the hardware (hw) object and its associated fields are fully initialized. This premature scheduling can lead to a NULL pointer dereference in the function rtw_rx_fill_rx_status when it attempts to access uninitialized hardware configuration data, such as the channel definition (chandef). The stack trace indicates that USB responses can be processed asynchronously before the driver completes its setup, causing the NULL dereference and resulting in kernel warnings or crashes. The root cause is that usb_submit_urb, which submits USB requests for data reception, is called before the hardware registration and initialization routines (e.g., ieee80211_register_hw) complete. The fix involves deferring the first usb_submit_urb call until after all hardware setup is finalized to ensure that the driver does not process incoming USB data with incomplete hardware context. This vulnerability affects Linux kernel versions containing the vulnerable rtw88 driver code prior to the patch and can manifest as dropped packets or kernel errors related to NULL pointer dereferences in the Wi-Fi driver. Although no known exploits are reported in the wild, the flaw could potentially be triggered by crafted USB Wi-Fi device traffic or during device initialization, leading to denial of service (DoS) conditions via kernel crashes or instability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the vulnerable rtw88 USB Wi-Fi driver, which is common in many laptops, embedded devices, and IoT equipment using Realtek USB Wi-Fi chipsets. The impact includes potential denial of service due to kernel crashes or instability triggered by the NULL pointer dereference. This could disrupt network connectivity, affecting business operations, especially in environments relying on wireless connectivity for critical services. Additionally, unstable kernel behavior can lead to system reboots or degraded performance, impacting availability. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could be exploited as part of a broader attack chain to disrupt services or cause operational downtime. European organizations with large deployments of Linux-based systems in sectors such as telecommunications, manufacturing, and public infrastructure should be aware of this risk. The vulnerability's exploitation requires local access to the affected device or the ability to influence USB Wi-Fi traffic, which may limit remote exploitation but does not eliminate risk in environments with physical access or compromised internal networks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize updating their Linux kernel to the latest patched version that includes the fix for CVE-2024-46760. Kernel updates should be tested and deployed promptly on all affected systems, especially those using Realtek USB Wi-Fi adapters. For environments where immediate patching is not feasible, consider disabling or removing the vulnerable USB Wi-Fi devices temporarily to prevent exploitation. Network segmentation and strict access controls can reduce the risk by limiting physical or logical access to affected devices. Monitoring kernel logs for signs of rtw88 driver errors or unexpected reboots can help detect attempts to trigger the vulnerability. Additionally, organizations should review their device inventory to identify systems using the rtw88 driver and assess exposure. Employing endpoint security solutions that monitor for unusual kernel activity or device driver faults can provide early warning. Finally, coordinate with hardware vendors for firmware updates or alternative drivers if available, and maintain robust backup and recovery procedures to minimize operational impact in case of DoS incidents.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.271Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe11f4
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:24:57 AM
Last updated: 8/11/2025, 7:19:31 AM
Views: 18
Related Threats
CVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighCVE-2025-8949: Stack-based Buffer Overflow in D-Link DIR-825
HighCVE-2025-8948: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-8947: SQL Injection in projectworlds Visitor Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.