CVE-2024-56541: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() During ath12k module removal, in ath12k_core_deinit(), ath12k_mac_destroy() un-registers ah->hw from mac80211 and frees the ah->hw as well as all the ar's in it. After this ath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup() tries to access one of the freed ar's from pending skb. This is because during mac destroy, driver failed to flush few data packets, which were accessed later in ath12k_dp_cc_cleanup() and freed, but using ar from the packet led to this use-after-free. BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Write of size 4 at addr ffff888150bd3514 by task modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted 6.11.0-rc2-wt-ath+ #1746 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0x7d/0xe0 print_address_description.constprop.0+0x33/0x3a0 print_report+0xb5/0x260 ? kasan_addr_to_slab+0x24/0x80 kasan_report+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] kasan_check_range+0xf3/0x1a0 __kasan_check_write+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_free+0x178/0x420 [ath12k] ath12k_core_stop+0x176/0x200 [ath12k] ath12k_core_deinit+0x13f/0x210 [ath12k] ath12k_pci_remove+0xad/0x1c0 [ath12k] pci_device_remove+0x9b/0x1b0 device_remove+0xbf/0x150 device_release_driver_internal+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 driver_detach+0xc4/0x190 bus_remove_driver+0x130/0x2a0 driver_unregister+0x68/0x90 pci_unregister_driver+0x24/0x240 ? find_module_all+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_delete_module+0x32c/0x580 ? module_flags+0x2f0/0x2f0 ? kmem_cache_free+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c ("wifi: ath12k: fix flush failure in recovery scenarios") added the change to decrement the pending packets count in case of recovery which make sense as ah->hw as well all ar's in it are intact during recovery, but during core deinit there is no use in decrementing packets count or waking up the empty waitq as the module is going to be removed also ar's from pending skb's can't be used and the packets should just be released back. To fix this, avoid accessing ar from skb->cb when driver is being unregistered. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
AI Analysis
Technical Summary
CVE-2024-56541 is a high-severity use-after-free vulnerability in the Linux kernel's ath12k wireless driver, which supports certain Qualcomm Atheros Wi-Fi chipsets. The flaw occurs during the removal of the ath12k kernel module, specifically in the function ath12k_dp_cc_cleanup(). When the ath12k_core_deinit() function is called to deinitialize the driver, it unregisters the hardware (ah->hw) from the mac80211 subsystem and frees associated resources, including the ath12k hardware abstraction structures (ar). However, some pending data packets (skb) are not properly flushed before this cleanup. Later, ath12k_dp_cc_cleanup() attempts to access the freed ar structures from these packets, resulting in a use-after-free condition. This memory corruption can lead to kernel crashes or potentially allow an attacker with limited privileges (local user with module removal rights) to execute arbitrary code or escalate privileges due to the high impact on confidentiality, integrity, and availability. The vulnerability is rooted in improper handling of packet flushing and resource cleanup during module removal, and the fix involves avoiding access to freed memory by not referencing ar from skb->cb when the driver is being unregistered. The vulnerability affects Linux kernel versions containing the ath12k driver prior to the patch commit 24de1b7b231c and has been tested on hardware such as QCN9274 and WCN7850 PCI WLAN chipsets. The CVSS v3.1 base score is 7.8, reflecting high severity with local attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with Qualcomm Atheros ath12k Wi-Fi chipsets, common in enterprise laptops, embedded devices, and network appliances. Exploitation could allow local attackers or malicious insiders to cause kernel crashes leading to denial of service or potentially escalate privileges to gain unauthorized control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt business operations, and facilitate further lateral movement within networks. Critical infrastructure operators, telecommunications providers, and enterprises with Linux-based wireless networking equipment are particularly at risk. The vulnerability's exploitation does not require user interaction but does require local privileges, which means compromised or untrusted users on a system could leverage this flaw. Given the widespread use of Linux in European IT environments and the increasing reliance on wireless connectivity, the impact could be broad if unpatched systems are present.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-56541 is essential. Organizations should track kernel updates from their Linux distribution vendors and deploy them promptly. 2. Audit and inventory all systems to identify those using the ath12k driver and Qualcomm Atheros chipsets (e.g., QCN9274, WCN7850). 3. Limit local user privileges to prevent unauthorized module removal or driver manipulation. 4. Implement strict access controls and monitoring on systems that allow kernel module loading/unloading, including use of Linux Security Modules (LSMs) like SELinux or AppArmor to restrict module management. 5. Employ kernel live patching solutions where possible to reduce downtime and rapidly mitigate vulnerabilities without full reboots. 6. Regularly monitor system logs for suspicious module removal or kernel errors indicative of exploitation attempts. 7. For embedded or specialized devices, coordinate with vendors for firmware or driver updates. 8. Conduct penetration testing and vulnerability scanning focused on kernel module vulnerabilities to proactively identify exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-56541: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() During ath12k module removal, in ath12k_core_deinit(), ath12k_mac_destroy() un-registers ah->hw from mac80211 and frees the ah->hw as well as all the ar's in it. After this ath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup() tries to access one of the freed ar's from pending skb. This is because during mac destroy, driver failed to flush few data packets, which were accessed later in ath12k_dp_cc_cleanup() and freed, but using ar from the packet led to this use-after-free. BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Write of size 4 at addr ffff888150bd3514 by task modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted 6.11.0-rc2-wt-ath+ #1746 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0x7d/0xe0 print_address_description.constprop.0+0x33/0x3a0 print_report+0xb5/0x260 ? kasan_addr_to_slab+0x24/0x80 kasan_report+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] kasan_check_range+0xf3/0x1a0 __kasan_check_write+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_free+0x178/0x420 [ath12k] ath12k_core_stop+0x176/0x200 [ath12k] ath12k_core_deinit+0x13f/0x210 [ath12k] ath12k_pci_remove+0xad/0x1c0 [ath12k] pci_device_remove+0x9b/0x1b0 device_remove+0xbf/0x150 device_release_driver_internal+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 driver_detach+0xc4/0x190 bus_remove_driver+0x130/0x2a0 driver_unregister+0x68/0x90 pci_unregister_driver+0x24/0x240 ? find_module_all+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_delete_module+0x32c/0x580 ? module_flags+0x2f0/0x2f0 ? kmem_cache_free+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c ("wifi: ath12k: fix flush failure in recovery scenarios") added the change to decrement the pending packets count in case of recovery which make sense as ah->hw as well all ar's in it are intact during recovery, but during core deinit there is no use in decrementing packets count or waking up the empty waitq as the module is going to be removed also ar's from pending skb's can't be used and the packets should just be released back. To fix this, avoid accessing ar from skb->cb when driver is being unregistered. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
AI-Powered Analysis
Technical Analysis
CVE-2024-56541 is a high-severity use-after-free vulnerability in the Linux kernel's ath12k wireless driver, which supports certain Qualcomm Atheros Wi-Fi chipsets. The flaw occurs during the removal of the ath12k kernel module, specifically in the function ath12k_dp_cc_cleanup(). When the ath12k_core_deinit() function is called to deinitialize the driver, it unregisters the hardware (ah->hw) from the mac80211 subsystem and frees associated resources, including the ath12k hardware abstraction structures (ar). However, some pending data packets (skb) are not properly flushed before this cleanup. Later, ath12k_dp_cc_cleanup() attempts to access the freed ar structures from these packets, resulting in a use-after-free condition. This memory corruption can lead to kernel crashes or potentially allow an attacker with limited privileges (local user with module removal rights) to execute arbitrary code or escalate privileges due to the high impact on confidentiality, integrity, and availability. The vulnerability is rooted in improper handling of packet flushing and resource cleanup during module removal, and the fix involves avoiding access to freed memory by not referencing ar from skb->cb when the driver is being unregistered. The vulnerability affects Linux kernel versions containing the ath12k driver prior to the patch commit 24de1b7b231c and has been tested on hardware such as QCN9274 and WCN7850 PCI WLAN chipsets. The CVSS v3.1 base score is 7.8, reflecting high severity with local attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with Qualcomm Atheros ath12k Wi-Fi chipsets, common in enterprise laptops, embedded devices, and network appliances. Exploitation could allow local attackers or malicious insiders to cause kernel crashes leading to denial of service or potentially escalate privileges to gain unauthorized control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt business operations, and facilitate further lateral movement within networks. Critical infrastructure operators, telecommunications providers, and enterprises with Linux-based wireless networking equipment are particularly at risk. The vulnerability's exploitation does not require user interaction but does require local privileges, which means compromised or untrusted users on a system could leverage this flaw. Given the widespread use of Linux in European IT environments and the increasing reliance on wireless connectivity, the impact could be broad if unpatched systems are present.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-56541 is essential. Organizations should track kernel updates from their Linux distribution vendors and deploy them promptly. 2. Audit and inventory all systems to identify those using the ath12k driver and Qualcomm Atheros chipsets (e.g., QCN9274, WCN7850). 3. Limit local user privileges to prevent unauthorized module removal or driver manipulation. 4. Implement strict access controls and monitoring on systems that allow kernel module loading/unloading, including use of Linux Security Modules (LSMs) like SELinux or AppArmor to restrict module management. 5. Employ kernel live patching solutions where possible to reduce downtime and rapidly mitigate vulnerabilities without full reboots. 6. Regularly monitor system logs for suspicious module removal or kernel errors indicative of exploitation attempts. 7. For embedded or specialized devices, coordinate with vendors for firmware or driver updates. 8. Conduct penetration testing and vulnerability scanning focused on kernel module vulnerabilities to proactively identify exposure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T14:03:05.988Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf19d
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 11:12:10 PM
Last updated: 7/30/2025, 10:39:04 PM
Views: 17
Related Threats
CVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.