CVE-2024-57995

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57995
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57995.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-57995
Downstream
Published
2025-02-27T02:07:16Z
Modified
2025-11-02T20:25:03.465870Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix read pointer after free in ath12kmacassignvifto_vdev()

In ath12kmacassignviftovdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12kmacunassignlink_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario.

Fix this by moving this check after arvif is again assigned via call to ath12kmacassignlinkvif().

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5068bc9180d06a5ac242b0f9263047c14f86211
Fixed
57100b87c77818cb0d582a92e5cb32fff85c757d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5068bc9180d06a5ac242b0f9263047c14f86211
Fixed
f3a95a312419e4f1e992525917da9dbcd247038f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5068bc9180d06a5ac242b0f9263047c14f86211
Fixed
5a10971c7645a95f5d5dc23c26fbac4bf61801d0

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.55
v6.12.56
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.9
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "156155335136604789014632880139793213915",
                "318280139171910976871015925348260344469",
                "165695772431394781451666547024280028764",
                "333211423710547578885745979230612753357",
                "14646644337488778463083228954791248656",
                "130966135899905948955770231845532935292",
                "256372358218348522173966418888172683615",
                "23641802153856096154298891011391591608",
                "15583374017751321111493989951354994955",
                "61701989205026390568378620164254214738"
            ]
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57100b87c77818cb0d582a92e5cb32fff85c757d",
        "id": "CVE-2024-57995-2d7484e5",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "160691212064508293834106105635380727800",
                "180798128642656783331641917475506212728",
                "331868534165436836177772451478536309811",
                "307744303273463421441066689743040311445",
                "97369677346344831712582483195897158081",
                "23641802153856096154298891011391591608",
                "15583374017751321111493989951354994955",
                "61701989205026390568378620164254214738"
            ]
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3a95a312419e4f1e992525917da9dbcd247038f",
        "id": "CVE-2024-57995-81fc0107",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "202982294405804188492365050576310218185",
            "length": 1369.0
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c",
            "function": "ath12k_mac_assign_vif_to_vdev"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3a95a312419e4f1e992525917da9dbcd247038f",
        "id": "CVE-2024-57995-a06d2441",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "55482746650222415414408134992056361228",
            "length": 1476.0
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c",
            "function": "ath12k_mac_assign_vif_to_vdev"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57100b87c77818cb0d582a92e5cb32fff85c757d",
        "id": "CVE-2024-57995-d8ec50d2",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "160691212064508293834106105635380727800",
                "180798128642656783331641917475506212728",
                "331868534165436836177772451478536309811",
                "307744303273463421441066689743040311445",
                "97369677346344831712582483195897158081",
                "23641802153856096154298891011391591608",
                "15583374017751321111493989951354994955",
                "61701989205026390568378620164254214738"
            ]
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a10971c7645a95f5d5dc23c26fbac4bf61801d0",
        "id": "CVE-2024-57995-e7ad0689",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "42802143110232706401964124762728219558",
            "length": 1620.0
        },
        "target": {
            "file": "drivers/net/wireless/ath/ath12k/mac.c",
            "function": "ath12k_mac_assign_vif_to_vdev"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a10971c7645a95f5d5dc23c26fbac4bf61801d0",
        "id": "CVE-2024-57995-ebdc5ba0",
        "deprecated": false,
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.57
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.2