CVE-2024-56663: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation.
AI Analysis
Technical Summary
CVE-2024-56663 is a vulnerability identified in the Linux kernel's wireless networking subsystem, specifically within the nl80211 interface handling the NL80211_ATTR_MLO_LINK_ID attribute. The issue arises due to an off-by-one error in the validation of this netlink attribute's range. The Linux kernel uses inclusive range checks for netlink attributes, but the maximum allowed value for NL80211_ATTR_MLO_LINK_ID was incorrectly set to IEEE80211_MLD_MAX_NUM_LINKS instead of IEEE80211_MLD_MAX_NUM_LINKS - 1. This off-by-one mistake leads to an out-of-bounds access when the attribute value equals the maximum, causing a wild memory access. The vulnerability was demonstrated by a kernel address sanitizer (KASAN) crash in the ieee80211_tx_control_port function, which is part of the mac80211 wireless stack. The crash occurs due to a read of memory beyond the intended buffer, triggered by malformed netlink messages sent to the kernel's wireless subsystem. This flaw can lead to kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel space if exploited further. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. The root cause is a logic error in the policy validation for netlink attributes, which has been corrected by adjusting the maximum allowed attribute value to prevent out-of-bounds access. No known exploits are currently reported in the wild, but the vulnerability resides in a critical kernel component responsible for wireless communication, making it a significant risk if weaponized.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled. Given the widespread use of Linux in enterprise servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to kernel crashes causing denial of service or potentially privilege escalation if combined with other vulnerabilities. This could disrupt critical services, especially in sectors reliant on wireless connectivity such as telecommunications, manufacturing, and public infrastructure. Additionally, organizations using Linux-based wireless access points or IoT devices could see increased exposure. The potential for remote exploitation via crafted netlink messages means attackers could target exposed systems over the network, increasing the threat surface. The lack of known exploits currently limits immediate risk, but the vulnerability's presence in the kernel wireless stack makes it a high-value target for attackers aiming to compromise Linux hosts.
Mitigation Recommendations
European organizations should promptly update their Linux kernel to the patched versions that correct the off-by-one validation error in the nl80211 subsystem. Kernel updates should be prioritized on systems with wireless networking enabled, especially those exposed to untrusted networks. Network segmentation can reduce exposure by isolating critical Linux hosts from untrusted wireless networks. Employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Monitoring kernel logs for unusual wireless subsystem errors or crashes can provide early warning signs of exploitation attempts. For embedded and IoT devices running Linux, vendors should be contacted to ensure firmware updates addressing this vulnerability are applied. Additionally, restricting netlink socket access to trusted users and processes can limit the ability of attackers to send malicious netlink messages. Organizations should also review their incident response plans to include scenarios involving kernel-level wireless subsystem compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-56663: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation.
AI-Powered Analysis
Technical Analysis
CVE-2024-56663 is a vulnerability identified in the Linux kernel's wireless networking subsystem, specifically within the nl80211 interface handling the NL80211_ATTR_MLO_LINK_ID attribute. The issue arises due to an off-by-one error in the validation of this netlink attribute's range. The Linux kernel uses inclusive range checks for netlink attributes, but the maximum allowed value for NL80211_ATTR_MLO_LINK_ID was incorrectly set to IEEE80211_MLD_MAX_NUM_LINKS instead of IEEE80211_MLD_MAX_NUM_LINKS - 1. This off-by-one mistake leads to an out-of-bounds access when the attribute value equals the maximum, causing a wild memory access. The vulnerability was demonstrated by a kernel address sanitizer (KASAN) crash in the ieee80211_tx_control_port function, which is part of the mac80211 wireless stack. The crash occurs due to a read of memory beyond the intended buffer, triggered by malformed netlink messages sent to the kernel's wireless subsystem. This flaw can lead to kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel space if exploited further. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. The root cause is a logic error in the policy validation for netlink attributes, which has been corrected by adjusting the maximum allowed attribute value to prevent out-of-bounds access. No known exploits are currently reported in the wild, but the vulnerability resides in a critical kernel component responsible for wireless communication, making it a significant risk if weaponized.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless networking enabled. Given the widespread use of Linux in enterprise servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to kernel crashes causing denial of service or potentially privilege escalation if combined with other vulnerabilities. This could disrupt critical services, especially in sectors reliant on wireless connectivity such as telecommunications, manufacturing, and public infrastructure. Additionally, organizations using Linux-based wireless access points or IoT devices could see increased exposure. The potential for remote exploitation via crafted netlink messages means attackers could target exposed systems over the network, increasing the threat surface. The lack of known exploits currently limits immediate risk, but the vulnerability's presence in the kernel wireless stack makes it a high-value target for attackers aiming to compromise Linux hosts.
Mitigation Recommendations
European organizations should promptly update their Linux kernel to the patched versions that correct the off-by-one validation error in the nl80211 subsystem. Kernel updates should be prioritized on systems with wireless networking enabled, especially those exposed to untrusted networks. Network segmentation can reduce exposure by isolating critical Linux hosts from untrusted wireless networks. Employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Monitoring kernel logs for unusual wireless subsystem errors or crashes can provide early warning signs of exploitation attempts. For embedded and IoT devices running Linux, vendors should be contacted to ensure firmware updates addressing this vulnerability are applied. Additionally, restricting netlink socket access to trusted users and processes can limit the ability of attackers to send malicious netlink messages. Organizations should also review their incident response plans to include scenarios involving kernel-level wireless subsystem compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.843Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd148
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:41:25 PM
Last updated: 7/28/2025, 11:33:32 AM
Views: 11
Related Threats
CVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowCVE-2025-0309: Vulnerability in Netskope Netskope Client
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.