CVE-2024-49931 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix array out-of-bound access in SoC stats

Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process() function access ath12k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/17/2026

The vulnerability identified as CVE-2024-49931 represents a critical array out-of-bounds access flaw within the Linux kernel's ath12k wireless driver implementation. This issue specifically affects the Qualcomm QCN9274 wireless chipset and demonstrates a fundamental misunderstanding of ring identifier semantics within the driver's data processing pipeline. The vulnerability resides in the ath12k_soc_dp_stats structure where the hal_reo_error array is dimensioned to accommodate DP_REO_DST_RING_MAX elements, yet the driver's processing function incorrectly references this array using SRNG ring identifiers instead of standard ring identifiers.

The technical flaw manifests when the ath12k_dp_rx_process() function attempts to access the hal_reo_error array using REO destination SRNG ring IDs rather than the conventional ring IDs that match the array's expected indexing scheme. This mismatch creates a direct path for out-of-bounds memory access patterns that can result in undefined behavior, memory corruption, and potential privilege escalation opportunities. The SRNG ring ID system operates under different conventions than standard ring IDs, creating a semantic gap that the driver fails to properly bridge. This type of vulnerability falls under CWE-129, specifically addressing inadequate bounds checking in array access operations.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to manipulate kernel memory structures and achieve privilege escalation within the wireless subsystem. The flaw exists in the data processing path of the wireless driver where incoming packets are processed and statistics are collected, making it a high-value target for exploitation. Attackers could potentially leverage this out-of-bounds access to corrupt kernel memory, leading to system instability, denial of service conditions, or even complete system compromise. The vulnerability is particularly concerning because it affects the core wireless processing functionality and operates at kernel level where such errors can have cascading effects throughout the system.

Mitigation strategies for CVE-2024-49931 focus on correcting the ring identifier usage within the ath12k_dp_rx_process() function to ensure proper indexing of the hal_reo_error array. The fix requires modifying the driver code to directly utilize normal ring IDs instead of SRNG ring IDs when accessing the array elements. This change aligns the indexing mechanism with the array's actual dimensioning and prevents the out-of-bounds access pattern. System administrators should prioritize applying the kernel patches that address this specific vulnerability, particularly on systems utilizing the QCN9274 hardware platform. The remediation approach follows standard security practices for preventing buffer overflows and array bound violations, with the fix being a straightforward correction of identifier semantics. This vulnerability demonstrates the importance of proper identifier management in kernel drivers and aligns with ATT&CK technique T1068 which covers privilege escalation through kernel exploits, making it a critical security concern for wireless infrastructure deployments.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00245

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!