CVE-2024-57899

High

Published: 15 January 2025

Published

15 January 2025

Modified

17 October 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. Therefore, when using or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), the code is incorrectly searching for a bit in a 32-bit variable that is expected to be 64 bits in size, leading to incorrect bit finding. Solution: Ensure that the size of the bits variable is correctly adjusted for each architecture. Call Trace: ? show_regs+0x54/0x58 ? __warn+0x6b/0xd4 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? report_bug+0x113/0x150 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x44 ? exc_invalid_op+0x18/0x50 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? ieee80211_mesh_work+0xff/0x260 [mac80211] ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] ? process_one_work+0xf1/0x1fc ? worker_thread+0x2c0/0x3b4 ? kthread+0xc7/0xf0 ? mod_delayed_work_on+0x4c/0x4c ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork+0x24/0x38 ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork_asm+0xf/0x14 ? entry_INT80_32+0xf0/0xf0 [restore no-op path for no changes]

Security Summary

CVE-2024-57899 is a vulnerability in the Linux kernel's mac80211 subsystem that causes corruption of MBSS (multi-BSS) changed flags specifically on 32-bit systems. The issue arises because an unsigned long is 4 bytes while a u64 is 8 bytes, leading the for_each_set_bit macro to incorrectly search a 32-bit variable as if it were 64 bits, resulting in erroneous bit detection. This affects Wi-Fi functionality, particularly in ieee80211_link_info_change_notify during mesh operations, as evidenced by the provided call trace showing kernel exceptions like exc_overflow and exc_invalid_op.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored by CVSS 3.1 at 7.8. Exploitation likely triggers kernel crashes or data corruption in Wi-Fi mesh handling, enabling denial of service or further compromise from a local context.

Kernel stable patches address the issue by ensuring the bits variable size is correctly adjusted for each architecture, as detailed in the referenced commits: https://git.kernel.org/stable/c/36b739637d7042843f9df57212ecee6ed6e0d4b2, https://git.kernel.org/stable/c/49dba1ded8dd5a6a12748631403240b2ab245c34, and https://git.kernel.org/stable/c/86772872f9f5097cd03d0e1c6813238bd38c250b. Security practitioners should apply these upstream fixes to affected 32-bit Linux kernels.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

linux

linux kernel

6.13 · ≤ 6.6.70 · 6.7 — 6.12.9

References

https://git.kernel.org/stable/c/36b739637d7042843f9df57212ecee6ed6e0d4b2
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/49dba1ded8dd5a6a12748631403240b2ab245c34
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/86772872f9f5097cd03d0e1c6813238bd38c250b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67