CVE-2024-26896
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26896
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26896.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-26896
- Downstream
- Related
- Published
- 2024-04-17T10:27:47.214Z
- Modified
- 2025-11-20T04:29:48.470872Z
- Summary
- wifi: wfx: fix memory leak when starting AP
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: wfx: fix memory leak when starting AP
Kmemleak reported this error:
unreferenced object 0xd73d1180 (size 184): comm "wpa_supplicant", pid 1559, jiffies 13006305 (age 964.245s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................ backtrace: [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac [<127bdd74>] __alloc_skb+0x144/0x170 [<fb8a5e38>] __netdev_alloc_skb+0x50/0x180 [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211] [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211] [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx] [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211] [<a4a661cd>] nl80211_start_ap+0x76c/0x9e0 [cfg80211] [<47bd8b68>] genl_rcv_msg+0x198/0x378 [<453ef796>] netlink_rcv_skb+0xd0/0x130 [<6b7c977a>] genl_rcv+0x34/0x44 [<66b2d04d>] netlink_unicast+0x1b4/0x258 [<f965b9b6>] netlink_sendmsg+0x1e8/0x428 [<aadb8231>] ____sys_sendmsg+0x1e0/0x274 [<d2b5212d>] ___sys_sendmsg+0x80/0xb4 [<69954f45>] __sys_sendmsg+0x64/0xa8 unreferenced object 0xce087000 (size 1024): comm "wpa_supplicant", pid 1559, jiffies 13006305 (age 964.246s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<9a993714>] __kmalloc_track_caller+0x230/0x600 [<f83ea192>] kmalloc_reserve.constprop.0+0x30/0x74 [<a2c61343>] __alloc_skb+0xa0/0x170 [<fb8a5e38>] __netdev_alloc_skb+0x50/0x180 [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211] [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211] [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx] [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211] [<a4a661cd>] nl80211_start_ap+0x76c/0x9e0 [cfg80211] [<47bd8b68>] genl_rcv_msg+0x198/0x378 [<453ef796>] netlink_rcv_skb+0xd0/0x130 [<6b7c977a>] genl_rcv+0x34/0x44 [<66b2d04d>] netlink_unicast+0x1b4/0x258 [<f965b9b6>] netlink_sendmsg+0x1e8/0x428 [<aadb8231>] ____sys_sendmsg+0x1e0/0x274 [<d2b5212d>] ___sys_sendmsg+0x80/0xb4However, since the kernel is build optimized, it seems the stack is not accurate. It appears the issue is related to wfxsetmfpap(). The issue is obvious in this function: memory allocated by ieee80211beacon_get() is never released. Fixing this leak makes kmemleak happy.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3
- https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b
- https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3
- https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc
- https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced268bceec1684932e194ae87877dcc73f534d921cFixeda1f57a0127b89a6b6620514564aa7eaec16d9af3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced268bceec1684932e194ae87877dcc73f534d921cFixed3a71ec74e5e3478d202a1874f085ca3ef40be49b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced268bceec1684932e194ae87877dcc73f534d921cFixed12f00a367b2b62756e0396f14b54c2c15524e1c3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced268bceec1684932e194ae87877dcc73f534d921cFixeddadbb5d29d6c5f571a50272fce8c1505a9559487
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced268bceec1684932e194ae87877dcc73f534d921cFixedb8cfb7c819dd39965136a66fe3a7fde688d976fc
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.9
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
Database specific
vanir_signatures
[
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c",
"function": "wfx_set_mfp_ap"
},
"signature_version": "v1",
"id": "CVE-2024-26896-5d5d9b50",
"digest": {
"function_hash": "64214103254892523797089185519510378729",
"length": 911.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8cfb7c819dd39965136a66fe3a7fde688d976fc",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c"
},
"signature_version": "v1",
"id": "CVE-2024-26896-608bc27e",
"digest": {
"line_hashes": [
"149447609669102839920865938900747783783",
"334191569760261183798775106686343193568",
"167228935372141024490246905805632928710",
"286714768318445797164842762715727821235",
"219193107294024782720819282686878572892",
"61018095080747817199059492492969158666",
"37195884005220459111437000871813758833",
"254597636214785506985307553470643675210",
"173239495295467131982047900405901020826",
"1947200885860781739328546138195172530",
"260903792473401086520018726276607033811",
"313766475827579952732224573964568064285",
"86862888404858684729287760448254736180",
"37833095398726933581462642725600403420",
"309564395636119403043168297455418651475",
"247291738320884048628923683456087891161",
"328537023042823015782691222953910875955",
"189954862038560622955276492005697508245",
"192274636521117056123609633161763838420"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a71ec74e5e3478d202a1874f085ca3ef40be49b",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c",
"function": "wfx_set_mfp_ap"
},
"signature_version": "v1",
"id": "CVE-2024-26896-7d21cca8",
"digest": {
"function_hash": "64214103254892523797089185519510378729",
"length": 911.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12f00a367b2b62756e0396f14b54c2c15524e1c3",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c"
},
"signature_version": "v1",
"id": "CVE-2024-26896-84b951a7",
"digest": {
"line_hashes": [
"149447609669102839920865938900747783783",
"334191569760261183798775106686343193568",
"167228935372141024490246905805632928710",
"286714768318445797164842762715727821235",
"219193107294024782720819282686878572892",
"61018095080747817199059492492969158666",
"37195884005220459111437000871813758833",
"254597636214785506985307553470643675210",
"173239495295467131982047900405901020826",
"1947200885860781739328546138195172530",
"260903792473401086520018726276607033811",
"313766475827579952732224573964568064285",
"86862888404858684729287760448254736180",
"37833095398726933581462642725600403420",
"309564395636119403043168297455418651475",
"247291738320884048628923683456087891161",
"328537023042823015782691222953910875955",
"189954862038560622955276492005697508245",
"192274636521117056123609633161763838420"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12f00a367b2b62756e0396f14b54c2c15524e1c3",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c"
},
"signature_version": "v1",
"id": "CVE-2024-26896-8c8b104d",
"digest": {
"line_hashes": [
"149447609669102839920865938900747783783",
"334191569760261183798775106686343193568",
"167228935372141024490246905805632928710",
"286714768318445797164842762715727821235",
"219193107294024782720819282686878572892",
"61018095080747817199059492492969158666",
"37195884005220459111437000871813758833",
"254597636214785506985307553470643675210",
"173239495295467131982047900405901020826",
"1947200885860781739328546138195172530",
"260903792473401086520018726276607033811",
"313766475827579952732224573964568064285",
"86862888404858684729287760448254736180",
"37833095398726933581462642725600403420",
"309564395636119403043168297455418651475",
"247291738320884048628923683456087891161",
"328537023042823015782691222953910875955",
"189954862038560622955276492005697508245",
"192274636521117056123609633161763838420"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1f57a0127b89a6b6620514564aa7eaec16d9af3",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c",
"function": "wfx_set_mfp_ap"
},
"signature_version": "v1",
"id": "CVE-2024-26896-9067ae38",
"digest": {
"function_hash": "64214103254892523797089185519510378729",
"length": 911.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1f57a0127b89a6b6620514564aa7eaec16d9af3",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c"
},
"signature_version": "v1",
"id": "CVE-2024-26896-92212dc8",
"digest": {
"line_hashes": [
"149447609669102839920865938900747783783",
"334191569760261183798775106686343193568",
"167228935372141024490246905805632928710",
"286714768318445797164842762715727821235",
"219193107294024782720819282686878572892",
"61018095080747817199059492492969158666",
"37195884005220459111437000871813758833",
"254597636214785506985307553470643675210",
"173239495295467131982047900405901020826",
"1947200885860781739328546138195172530",
"260903792473401086520018726276607033811",
"313766475827579952732224573964568064285",
"86862888404858684729287760448254736180",
"37833095398726933581462642725600403420",
"309564395636119403043168297455418651475",
"247291738320884048628923683456087891161",
"328537023042823015782691222953910875955",
"189954862038560622955276492005697508245",
"192274636521117056123609633161763838420"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dadbb5d29d6c5f571a50272fce8c1505a9559487",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c",
"function": "wfx_set_mfp_ap"
},
"signature_version": "v1",
"id": "CVE-2024-26896-a2bfff88",
"digest": {
"function_hash": "64214103254892523797089185519510378729",
"length": 911.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dadbb5d29d6c5f571a50272fce8c1505a9559487",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c"
},
"signature_version": "v1",
"id": "CVE-2024-26896-bc5d808d",
"digest": {
"line_hashes": [
"149447609669102839920865938900747783783",
"334191569760261183798775106686343193568",
"167228935372141024490246905805632928710",
"286714768318445797164842762715727821235",
"219193107294024782720819282686878572892",
"61018095080747817199059492492969158666",
"37195884005220459111437000871813758833",
"254597636214785506985307553470643675210",
"173239495295467131982047900405901020826",
"1947200885860781739328546138195172530",
"260903792473401086520018726276607033811",
"313766475827579952732224573964568064285",
"86862888404858684729287760448254736180",
"37833095398726933581462642725600403420",
"309564395636119403043168297455418651475",
"247291738320884048628923683456087891161",
"328537023042823015782691222953910875955",
"189954862038560622955276492005697508245",
"192274636521117056123609633161763838420"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8cfb7c819dd39965136a66fe3a7fde688d976fc",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "drivers/net/wireless/silabs/wfx/sta.c",
"function": "wfx_set_mfp_ap"
},
"signature_version": "v1",
"id": "CVE-2024-26896-d266d063",
"digest": {
"function_hash": "64214103254892523797089185519510378729",
"length": 911.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a71ec74e5e3478d202a1874f085ca3ef40be49b",
"deprecated": false,
"signature_type": "Function"
}
]