CVE-2024-56541

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free vulnerability has been resolved in the Linux kernel, specifically in the ath12k module. The issue occurs during the removal of the ath12k module, where the ath12k mac destroy() function un-registers the ah->hw from mac80211 and frees the ah->hw as well as all the ar's in it. Later, the ath12k dp cc cleanup() function tries to access one of the freed ar's from a pending skb, leading to a use-after-free error. This is because the driver failed to flush a few data packets during the destruction of the mac, which were accessed later and freed. The vulnerability was introduced by a commit that added a change to decrement the pending packets count in case of recovery, but this change does not make sense during core deinit.

Recommendations To fix this issue, avoid accessing ar from skb->cb when the driver is being unregistered. At the moment, there is no information about a newer version that contains a fix for this vulnerability.