CVE-2024-47715: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix oops on non-dbdc mt7986 mt7915_band_config() sets band_idx = 1 on the main phy for mt7986 with MT7975_ONE_ADIE or MT7976_ONE_ADIE. Commit 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") introduced a dereference of the phys array indirectly indexed by band_idx via wcid->phy_idx in mt76_wcid_cleanup(). This caused the following Oops on affected mt7986 devices: Unable to handle kernel read from unreadable memory at virtual address 0000000000000024 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005 CM = 0, WnR = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000 [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ... CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0 Hardware name: ZyXEL EX5700 (Telenor) (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mt76_wcid_cleanup+0x84/0x22c [mt76] lr : mt76_wcid_cleanup+0x64/0x22c [mt76] sp : ffffffc00a803700 x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00 x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001 x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8 x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000 x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0 x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000 x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28 x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000 x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024 Call trace: mt76_wcid_cleanup+0x84/0x22c [mt76] __mt76_sta_remove+0x70/0xbc [mt76] mt76_sta_state+0x8c/0x1a4 [mt76] mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e] drv_sta_state+0x144/0x274 [mac80211] sta_info_move_state+0x1cc/0x2a4 [mac80211] sta_set_sinfo+0xaf8/0xc24 [mac80211] sta_info_destroy_addr_bss+0x4c/0x6c [mac80211] ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211] cfg80211_check_station_change+0x1360/0x4710 [cfg80211] genl_family_rcv_msg_doit+0xb4/0x110 genl_rcv_msg+0xd0/0x1bc netlink_rcv_skb+0x58/0x120 genl_rcv+0x34/0x50 netlink_unicast+0x1f0/0x2ec netlink_sendmsg+0x198/0x3d0 ____sys_sendmsg+0x1b0/0x210 ___sys_sendmsg+0x80/0xf0 __sys_sendmsg+0x44/0xa0 __arm64_sys_sendmsg+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x40/0xd0 el0_svc+0x14/0x4c el0t_64_sync_handler+0x100/0x110 el0t_64_sync+0x15c/0x160 Code: d2800002 910092c0 52800023 f9800011 (885f7c01) ---[ end trace 7e42dd9a39ed2281 ]--- Fix by using mt76_dev_phy() which will map band_idx to the correct phy for all hardware combinations.
AI Analysis
Technical Summary
CVE-2024-47715 is a vulnerability identified in the Linux kernel's wireless driver stack, specifically affecting the mt76 driver for MediaTek wireless chipsets, including the mt7915 and mt7986 devices. The root cause is a race condition and improper handling of the band index (band_idx) in the function mt7915_band_config() for certain hardware configurations (MT7975_ONE_ADIE or MT7976_ONE_ADIE). This leads to an out-of-bounds dereference of the phys array in the mt76_wcid_cleanup() function, which is indirectly indexed by band_idx via wcid->phy_idx. The dereference results in a kernel oops (crash) due to an attempt to read from an invalid memory address (0x24), causing a level 1 translation fault and a kernel panic on affected devices. The issue was introduced by commit 0335c034e726, which fixed a race condition related to checking the TX queue fill status but inadvertently caused this memory access violation. The vulnerability manifests when the hostapd process interacts with the wireless driver, potentially causing denial of service (DoS) through kernel crashes. The fix involves using the mt76_dev_phy() function to correctly map band_idx to the appropriate physical device for all hardware combinations, preventing invalid memory access. This vulnerability affects Linux kernel versions containing the specified commits and impacts devices using the affected MediaTek chipsets with the mt76 driver. No known exploits are reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected mt76 wireless driver and using MediaTek mt7915 or mt7986 chipsets. Such systems include embedded devices, wireless access points, routers, and potentially IoT devices deployed in enterprise or industrial environments. The impact is mainly a denial of service through kernel crashes, which can disrupt network connectivity and availability of critical services relying on wireless communication. In environments where wireless infrastructure is essential, such as telecommunications, manufacturing, healthcare, and public services, this could lead to operational downtime and loss of productivity. Although the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting instability could be exploited as part of a broader attack chain. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels necessitates prompt remediation to maintain network reliability and security posture.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes CVE-2024-47715. Since the vulnerability is tied to specific commits, verifying kernel versions and applying vendor-supplied patches or mainline kernel updates is critical. For embedded or specialized devices, coordinate with hardware vendors to obtain firmware or driver updates that incorporate the fix. Additionally, organizations should audit their network infrastructure to identify devices using affected MediaTek chipsets and mt76 drivers. Where patching is delayed, consider isolating vulnerable devices from critical network segments or limiting access to trusted users to reduce exploitation risk. Monitoring kernel logs for oops or crash messages related to mt76 can help detect attempted exploitation or instability. Implementing robust network segmentation and access controls will further mitigate potential impacts. Finally, maintain up-to-date inventories of hardware and software to ensure timely identification and remediation of such vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2024-47715: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix oops on non-dbdc mt7986 mt7915_band_config() sets band_idx = 1 on the main phy for mt7986 with MT7975_ONE_ADIE or MT7976_ONE_ADIE. Commit 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") introduced a dereference of the phys array indirectly indexed by band_idx via wcid->phy_idx in mt76_wcid_cleanup(). This caused the following Oops on affected mt7986 devices: Unable to handle kernel read from unreadable memory at virtual address 0000000000000024 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005 CM = 0, WnR = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000 [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ... CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0 Hardware name: ZyXEL EX5700 (Telenor) (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mt76_wcid_cleanup+0x84/0x22c [mt76] lr : mt76_wcid_cleanup+0x64/0x22c [mt76] sp : ffffffc00a803700 x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00 x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001 x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8 x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000 x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0 x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000 x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28 x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000 x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024 Call trace: mt76_wcid_cleanup+0x84/0x22c [mt76] __mt76_sta_remove+0x70/0xbc [mt76] mt76_sta_state+0x8c/0x1a4 [mt76] mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e] drv_sta_state+0x144/0x274 [mac80211] sta_info_move_state+0x1cc/0x2a4 [mac80211] sta_set_sinfo+0xaf8/0xc24 [mac80211] sta_info_destroy_addr_bss+0x4c/0x6c [mac80211] ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211] cfg80211_check_station_change+0x1360/0x4710 [cfg80211] genl_family_rcv_msg_doit+0xb4/0x110 genl_rcv_msg+0xd0/0x1bc netlink_rcv_skb+0x58/0x120 genl_rcv+0x34/0x50 netlink_unicast+0x1f0/0x2ec netlink_sendmsg+0x198/0x3d0 ____sys_sendmsg+0x1b0/0x210 ___sys_sendmsg+0x80/0xf0 __sys_sendmsg+0x44/0xa0 __arm64_sys_sendmsg+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x40/0xd0 el0_svc+0x14/0x4c el0t_64_sync_handler+0x100/0x110 el0t_64_sync+0x15c/0x160 Code: d2800002 910092c0 52800023 f9800011 (885f7c01) ---[ end trace 7e42dd9a39ed2281 ]--- Fix by using mt76_dev_phy() which will map band_idx to the correct phy for all hardware combinations.
AI-Powered Analysis
Technical Analysis
CVE-2024-47715 is a vulnerability identified in the Linux kernel's wireless driver stack, specifically affecting the mt76 driver for MediaTek wireless chipsets, including the mt7915 and mt7986 devices. The root cause is a race condition and improper handling of the band index (band_idx) in the function mt7915_band_config() for certain hardware configurations (MT7975_ONE_ADIE or MT7976_ONE_ADIE). This leads to an out-of-bounds dereference of the phys array in the mt76_wcid_cleanup() function, which is indirectly indexed by band_idx via wcid->phy_idx. The dereference results in a kernel oops (crash) due to an attempt to read from an invalid memory address (0x24), causing a level 1 translation fault and a kernel panic on affected devices. The issue was introduced by commit 0335c034e726, which fixed a race condition related to checking the TX queue fill status but inadvertently caused this memory access violation. The vulnerability manifests when the hostapd process interacts with the wireless driver, potentially causing denial of service (DoS) through kernel crashes. The fix involves using the mt76_dev_phy() function to correctly map band_idx to the appropriate physical device for all hardware combinations, preventing invalid memory access. This vulnerability affects Linux kernel versions containing the specified commits and impacts devices using the affected MediaTek chipsets with the mt76 driver. No known exploits are reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected mt76 wireless driver and using MediaTek mt7915 or mt7986 chipsets. Such systems include embedded devices, wireless access points, routers, and potentially IoT devices deployed in enterprise or industrial environments. The impact is mainly a denial of service through kernel crashes, which can disrupt network connectivity and availability of critical services relying on wireless communication. In environments where wireless infrastructure is essential, such as telecommunications, manufacturing, healthcare, and public services, this could lead to operational downtime and loss of productivity. Although the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting instability could be exploited as part of a broader attack chain. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels necessitates prompt remediation to maintain network reliability and security posture.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes CVE-2024-47715. Since the vulnerability is tied to specific commits, verifying kernel versions and applying vendor-supplied patches or mainline kernel updates is critical. For embedded or specialized devices, coordinate with hardware vendors to obtain firmware or driver updates that incorporate the fix. Additionally, organizations should audit their network infrastructure to identify devices using affected MediaTek chipsets and mt76 drivers. Where patching is delayed, consider isolating vulnerable devices from critical network segments or limiting access to trusted users to reduce exploitation risk. Monitoring kernel logs for oops or crash messages related to mt76 can help detect attempted exploitation or instability. Implementing robust network segmentation and access controls will further mitigate potential impacts. Finally, maintain up-to-date inventories of hardware and software to ensure timely identification and remediation of such vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.949Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe05a0
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:55:37 PM
Last updated: 8/17/2025, 9:41:36 AM
Views: 21
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.