CVE-2024-50236 is a vulnerability identified in the Linux kernel specifically affecting the ath10k wireless driver, which is responsible for managing Qualcomm Atheros Wi-Fi chipsets. The flaw is a memory leak occurring during the transmission of management frames (management TX). In the current implementation, memory is allocated to store the MSDU (MAC Service Data Unit) context when sending management packets, but this allocated memory is not properly freed upon completion of the transmission or during cleanup operations. This leads to a gradual accumulation of unreferenced memory objects, as reported by the kernel memory leak detector (kmemleak). The root cause is the missing deallocation of memory in the management TX completion and cleanup logic. Additionally, the vulnerability involves a concurrency issue where the mgmt_pending_tx idr_remove() operation is not adequately protected by locking mechanisms, potentially leading to race conditions. The fix involves freeing the allocated memory during both completion and cleanup phases and protecting the critical section with a data lock (ar->data_lock) to prevent concurrent access issues. The vulnerability was tested on hardware WCN3990 hw1.0 and is relevant to Linux kernel versions containing the specified commit hashes. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of resource exhaustion on Linux systems utilizing affected Qualcomm Atheros Wi-Fi chipsets with the ath10k driver. Memory leaks can degrade system performance over time, potentially leading to denial of service (DoS) conditions if the leaked memory accumulates sufficiently to exhaust kernel memory pools. This can affect critical infrastructure, enterprise servers, embedded devices, and network equipment running Linux with these drivers. Although the vulnerability does not directly allow code execution or privilege escalation, the resulting instability and DoS can disrupt business operations, especially in environments relying on wireless connectivity for critical communications. Organizations with large-scale deployments of Linux-based wireless access points, IoT devices, or network appliances using affected hardware are at higher risk. The concurrency issue could also lead to unpredictable behavior or crashes under high network load. Given the widespread use of Linux in European IT infrastructure and the prevalence of Qualcomm Atheros chipsets in wireless devices, the impact could be significant if left unpatched, particularly in sectors such as telecommunications, manufacturing, and public services.

European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2024-50236 as soon as it becomes available. Since the vulnerability is in the ath10k driver, organizations should audit their hardware inventory to identify devices using Qualcomm Atheros chipsets managed by this driver. For embedded or specialized devices where kernel updates are less frequent, consider applying vendor-supplied firmware or driver patches. Network administrators should monitor systems for signs of memory leaks or unusual resource consumption related to wireless management traffic. Implementing kernel memory leak detection tools like kmemleak can help identify affected systems proactively. Additionally, organizations should enforce strict access controls and network segmentation to limit exposure of vulnerable devices to untrusted networks, reducing the risk of exploitation through crafted management frames. Where feasible, temporarily disabling wireless interfaces or switching to alternative drivers/hardware until patches are applied can mitigate risk. Finally, maintain up-to-date incident response plans to address potential denial of service scenarios caused by this vulnerability.