CVE-2024-49930 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix array out-of-bound access in SoC stats
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/17/2026
The vulnerability identified as CVE-2024-49930 represents a critical array out-of-bounds access flaw within the Linux kernel's ath11k wireless driver implementation. This issue specifically affects the Qualcomm QCN9074 wireless chipset and demonstrates a fundamental mismatch between array indexing and the actual data source identifiers. The flaw resides in the ath11k_soc_dp_stats structure where the hal_reo_error array is dimensioned to accommodate DP_REO_DST_RING_MAX elements, yet the processing function incorrectly utilizes SRNG (Single Ring) ring identifiers instead of standard ring identifiers for array indexing operations.
The technical root cause stems from a fundamental misunderstanding of the ring identifier semantics within the wireless driver's data processing pipeline. The ath11k_dp_process_rx() function performs array access operations using REO destination SRNG ring IDs which are fundamentally different from conventional ring IDs used for array indexing. This mismatch creates a scenario where array indices can exceed the allocated bounds, potentially leading to memory corruption and system instability. The vulnerability operates at the intersection of hardware abstraction layer design and kernel memory management, creating a path for unauthorized memory access patterns that could be exploited by malicious actors.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially compromise system integrity and wireless functionality. When the array out-of-bounds access occurs, it can result in kernel panics, system crashes, or more insidiously, data corruption that may persist undetected. The affected hardware platform QCN9074 hw1.0 with the specified firmware version represents a significant attack surface given the widespread deployment of Qualcomm wireless chipsets in enterprise and consumer environments. This flaw could enable attackers to disrupt wireless communications or potentially escalate privileges within the kernel space, as the memory corruption may allow for arbitrary code execution or information disclosure.
This vulnerability aligns with CWE-129, which addresses improper validation of array indices, and demonstrates characteristics consistent with ATT&CK technique T1068, involving the exploitation of privilege escalation vulnerabilities. The fix implementation requires modification of the ath11k_dp_process_rx() function to utilize standard ring IDs directly instead of SRNG ring IDs for array indexing operations. This remediation approach follows established security practices for preventing buffer overflows and memory corruption vulnerabilities in kernel space drivers. The solution represents a straightforward but critical correction that ensures proper indexing semantics within the wireless driver's data processing pipeline, thereby maintaining the integrity of the kernel's memory management subsystem.