CVE-2024-47714 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: use hweight16 to get correct tx antenna

The chainmask is u16 so using hweight8 cannot get correct tx_ant. Without this patch, the tx_ant of band 2 would be -1 and lead to the following issue: BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability CVE-2024-47714 affects the Linux kernel's wireless subsystem, specifically within the mt76 driver family that supports MediaTek wireless chipsets including the mt7996. This issue manifests as a critical flaw in how transmit antenna selection is calculated for wireless network interfaces. The problem stems from an incorrect bitwise operation that uses the hweight8 function instead of the appropriate hweight16 function when processing chainmask values. The chainmask in question is defined as a 16-bit unsigned integer type (u16) which requires proper handling to count the number of set bits correctly. When the hweight8 function is used on a 16-bit value, it only examines the lower 8 bits, leading to incorrect antenna count calculations. This fundamental error in bit manipulation creates a scenario where the transmit antenna count for band 2 becomes negative, specifically -1, which triggers a kernel memory access violation. The vulnerability directly relates to CWE-129, which addresses improper validation of array indices or buffer bounds, and CWE-787, concerning out-of-bounds write operations. The issue is particularly dangerous as it can cause kernel memory corruption through stack buffer overflows, as evidenced by the KASAN (Kernel Address Sanitizer) error message indicating a stack-out-of-bounds condition in the mt7996_mcu_add_sta function. The operational impact of this vulnerability extends beyond simple wireless connectivity issues, potentially leading to system crashes, denial of service conditions, and in severe cases, privilege escalation or system instability. Attackers could exploit this by manipulating wireless network parameters to trigger the faulty code path, causing the kernel to execute invalid memory operations. This vulnerability aligns with ATT&CK technique T1059.006 for kernel-mode rootkits and T1490 for denial of service attacks. The patch resolves this by ensuring that the hweight16 function is used consistently with the 16-bit chainmask data type, thereby providing correct antenna count calculations. The fix demonstrates the importance of proper data type handling in kernel space programming, where incorrect assumptions about data sizes can lead to critical security flaws. Organizations should prioritize applying this patch immediately, especially in environments where wireless connectivity is critical and where systems may be exposed to untrusted network conditions. The vulnerability highlights the necessity of thorough code review processes for kernel drivers, particularly those handling hardware-specific configurations and bit manipulation operations that directly impact system stability and security.

The technical implementation of this vulnerability demonstrates a classic case of data type mismatch in kernel space programming where the assumption about data size led to incorrect bit counting operations. The mt7996 wireless driver maintains internal state for transmit antenna configuration through chainmask values that represent which antennas are available for transmission. When the driver processes these values, it needs to count the number of active antennas to properly configure hardware resources. The hweight8 function, designed for 8-bit values, fails to account for the full 16-bit range of the chainmask, causing the upper 8 bits to be ignored completely. This results in erroneous antenna count calculations that can lead to negative values when the actual number of set bits in the full 16-bit value exceeds what hweight8 can accurately report. The specific function mt7996_mcu_add_sta becomes the point of failure because it relies on this incorrect antenna count to allocate memory and configure hardware parameters. The KASAN stack-out-of-bounds error indicates that the kernel attempts to access memory beyond the allocated stack space, a direct consequence of the negative antenna count causing improper memory allocation. This vulnerability type represents a subset of memory safety issues classified under CWE-129 and CWE-787, where improper validation of data size leads to buffer overflows and memory corruption. The ATT&CK framework categorizes this as a potential system stability compromise that could enable further exploitation, particularly in environments where wireless interfaces are frequently reconfigured or when malicious network conditions are present. The patch implementation requires careful attention to ensure that all similar bit counting operations within the wireless driver family are consistent with the actual data types being processed. This vulnerability underscores the critical importance of kernel security practices including comprehensive testing of hardware-specific drivers, proper data type validation, and adherence to security coding standards. Organizations should implement continuous monitoring for similar issues in their kernel configurations and ensure that wireless network components are regularly updated with security patches to prevent exploitation through malformed wireless frames or configuration attacks.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!