CVE-2024-57948: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-57948 is a vulnerability identified in the Linux kernel's mac802154 subsystem, which handles IEEE 802.15.4 network interfaces. The issue arises from improper handling of local interface lists during the removal of an IEEE 802.15.4 network interface after the corresponding hardware device has been unregistered. Specifically, the vulnerability is due to a missing check for the presence of local interfaces before deleting the sdata list, leading to a corrupted linked list and a kernel BUG triggered in list_debug.c. This bug manifests as an invalid opcode exception and kernel crash (Oops) during the execution of ieee802154_if_remove, which is part of the interface removal process. The root cause is a race condition or ordering flaw where the net device is unregistered, but the RCU (Read-Copy-Update) grace period has not completed before the interface removal proceeds, causing use-after-free or list corruption. The vulnerability was discovered via syzkaller, a kernel fuzzing tool, and results in a kernel panic or crash, impacting system stability and availability. The affected Linux kernel versions include those around the 6.12.0-rc6 release candidate, with the patch involving adding a check for local->interfaces before deleting the sdata list to prevent list corruption. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-57948 primarily concerns systems running Linux kernels with the affected mac802154 subsystem, particularly those utilizing IEEE 802.15.4 wireless interfaces. This includes IoT devices, industrial control systems, and embedded systems that rely on low-power wireless communication standards common in smart city infrastructure, industrial automation, and sensor networks. A successful exploitation leads to kernel crashes and system instability, resulting in denial of service (DoS). While this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting DoS can disrupt critical services, cause downtime, and potentially impact safety-critical operations. European organizations deploying Linux-based IoT gateways, edge devices, or network infrastructure that use IEEE 802.15.4 could face operational interruptions. Additionally, the requirement for local interface manipulation and kernel-level access means exploitation is more likely in environments where attackers have some level of system access, such as insider threats or compromised devices. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels necessitates prompt attention to avoid future exploitation as attackers develop techniques to trigger the bug remotely or via crafted inputs.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that adds the necessary check for local interfaces before deleting the sdata list in the mac802154 subsystem. This patch prevents list corruption and kernel crashes. 2. For organizations unable to upgrade immediately, implement kernel-level monitoring to detect and alert on ieee802154_if_remove failures or kernel BUG messages related to list corruption. 3. Restrict access to systems with IEEE 802.15.4 interfaces to trusted users and processes only, minimizing the risk of malicious interface removal attempts. 4. Harden system configurations by disabling unused IEEE 802.15.4 interfaces or modules if not required, reducing the attack surface. 5. Employ kernel lockdown features and secure boot mechanisms to prevent unauthorized kernel module loading or tampering. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before deployment. 7. Maintain up-to-date inventory of devices using IEEE 802.15.4 to prioritize patching and monitoring efforts. 8. Collaborate with device vendors and Linux distribution maintainers to ensure timely patch distribution and deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-57948: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-57948 is a vulnerability identified in the Linux kernel's mac802154 subsystem, which handles IEEE 802.15.4 network interfaces. The issue arises from improper handling of local interface lists during the removal of an IEEE 802.15.4 network interface after the corresponding hardware device has been unregistered. Specifically, the vulnerability is due to a missing check for the presence of local interfaces before deleting the sdata list, leading to a corrupted linked list and a kernel BUG triggered in list_debug.c. This bug manifests as an invalid opcode exception and kernel crash (Oops) during the execution of ieee802154_if_remove, which is part of the interface removal process. The root cause is a race condition or ordering flaw where the net device is unregistered, but the RCU (Read-Copy-Update) grace period has not completed before the interface removal proceeds, causing use-after-free or list corruption. The vulnerability was discovered via syzkaller, a kernel fuzzing tool, and results in a kernel panic or crash, impacting system stability and availability. The affected Linux kernel versions include those around the 6.12.0-rc6 release candidate, with the patch involving adding a check for local->interfaces before deleting the sdata list to prevent list corruption. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-57948 primarily concerns systems running Linux kernels with the affected mac802154 subsystem, particularly those utilizing IEEE 802.15.4 wireless interfaces. This includes IoT devices, industrial control systems, and embedded systems that rely on low-power wireless communication standards common in smart city infrastructure, industrial automation, and sensor networks. A successful exploitation leads to kernel crashes and system instability, resulting in denial of service (DoS). While this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting DoS can disrupt critical services, cause downtime, and potentially impact safety-critical operations. European organizations deploying Linux-based IoT gateways, edge devices, or network infrastructure that use IEEE 802.15.4 could face operational interruptions. Additionally, the requirement for local interface manipulation and kernel-level access means exploitation is more likely in environments where attackers have some level of system access, such as insider threats or compromised devices. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely used Linux kernels necessitates prompt attention to avoid future exploitation as attackers develop techniques to trigger the bug remotely or via crafted inputs.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that adds the necessary check for local interfaces before deleting the sdata list in the mac802154 subsystem. This patch prevents list corruption and kernel crashes. 2. For organizations unable to upgrade immediately, implement kernel-level monitoring to detect and alert on ieee802154_if_remove failures or kernel BUG messages related to list corruption. 3. Restrict access to systems with IEEE 802.15.4 interfaces to trusted users and processes only, minimizing the risk of malicious interface removal attempts. 4. Harden system configurations by disabling unused IEEE 802.15.4 interfaces or modules if not required, reducing the attack surface. 5. Employ kernel lockdown features and secure boot mechanisms to prevent unauthorized kernel module loading or tampering. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before deployment. 7. Maintain up-to-date inventory of devices using IEEE 802.15.4 to prioritize patching and monitoring efforts. 8. Collaborate with device vendors and Linux distribution maintainers to ensure timely patch distribution and deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-19T11:50:08.380Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdeb57
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:25:03 AM
Last updated: 8/14/2025, 7:03:37 AM
Views: 11
Related Threats
CVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.