CVE-2024-57995

CVE-2024-57995 is a use-after-free vulnerability in the Linux kernel's ath12k WiFi driver, specifically within the ath12k_mac_assign_vif_to_vdev() function. The issue arises when an arvif structure, created on a different radio, is deleted via ath12k_mac_unassign_link_vif(), which frees the arvif pointer. A subsequent check then accesses the freed arvif, resulting in a read-after-free condition. This flaw, classified under CWE-416, affects systems using the ath12k driver and was tested on QCN9274 hw2.0 PCI with WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 firmware.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, which carries a CVSS v3.1 base score of 7.8 (High). Successful exploitation could lead to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling privilege escalation, arbitrary code execution, or system crashes on affected kernels.

Mitigation involves applying the upstream Linux kernel patches provided in the stable repository commits: 57100b87c77818cb0d582a92e5cb32fff85c757d, 5a10971c7645a95f5d5dc23c26fbac4bf61801d0, and f3a95a312419e4f1e992525917da9dbcd247038f. These fixes reorder the logic to move the arvif check after reassignment via ath12k_mac_assign_link_vif(), preventing the read-after-free. Security practitioners should update to kernels incorporating these commits.