CVE-2024-26693 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix a crash when we run out of stations

A DoS tool that injects loads of authentication frames made our AP crash. The iwl_mvm_is_dup() function couldn't find the per-queue dup_data which was not allocated.

The root cause for that is that we ran out of stations in the firmware and we didn't really add the station to the firmware, yet we didn't return an error to mac80211. Mac80211 was thinking that we have the station and because of that, sta_info::uploaded was set to 1. This allowed ieee80211_find_sta_by_ifaddr() to return a valid station object, but that ieee80211_sta didn't have any iwl_mvm_sta object initialized and that caused the crash mentioned earlier when we got Rx on that station.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability CVE-2024-26693 represents a critical denial-of-service condition within the Linux kernel's iwlwifi wireless driver implementation specifically affecting the iwl_mvm subsystem. This flaw manifests as a crash scenario that occurs when wireless access points attempt to handle excessive authentication frame loads, ultimately leading to system instability and service disruption. The vulnerability stems from inadequate error handling mechanisms within the wireless driver's station management framework, where the system fails to properly validate resource allocation states before proceeding with subsequent operations. The issue is particularly concerning in enterprise and high-traffic wireless environments where authentication storms or malicious injection attacks could systematically compromise network availability.

The technical root cause of this vulnerability lies in the improper handling of station allocation failures within the iwlwifi driver's management virtual machine implementation. When the firmware exhausts its available station slots, the iwl_mvm_is_dup() function encounters a critical failure state where it cannot locate the per-queue dup_data structure that should have been allocated during the station creation process. This occurs because the system fails to return appropriate error codes to the mac80211 subsystem when station allocation fails, creating a state inconsistency where the upper network layers believe a station has been successfully registered. The CWE-362 classification applies here as this represents a race condition or improper resource management scenario where the system operates under incorrect assumptions about allocated resources, leading to undefined behavior.

The operational impact of this vulnerability extends beyond simple system crashes to encompass complete network service disruption in affected wireless environments. When an attacker or legitimate user floods the access point with excessive authentication frames, the driver enters a corrupted state where it maintains false positive station references while lacking the underlying data structures required for proper frame processing. This creates a dangerous condition where ieee80211_find_sta_by_ifaddr() returns a seemingly valid station object that lacks proper initialization, particularly the iwl_mvm_sta object that contains essential per-station data structures. The subsequent reception of frames on this improperly initialized station object triggers a kernel crash, effectively rendering the wireless access point unavailable to legitimate users and potentially allowing attackers to maintain persistent denial-of-service conditions.

Mitigation strategies for this vulnerability require immediate kernel updates from vendors that include patches addressing the station allocation error handling and resource management issues. System administrators should implement monitoring solutions to detect unusual authentication frame patterns that could indicate attempted exploitation of this vulnerability. The ATT&CK framework's T1499.004 technique for network disruption through resource exhaustion becomes relevant in understanding how this vulnerability could be exploited in coordinated attack scenarios. Additionally, implementing rate limiting and authentication frame filtering mechanisms at the network level can provide temporary protection while awaiting official patches. Organizations should also consider implementing redundant wireless infrastructure and automated failover mechanisms to minimize the impact of potential exploitation attempts, as this vulnerability specifically targets the core wireless management functionality of Linux-based access points.

Reservation

02/19/2024

Disclosure

04/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00243

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!