CVE-2024-50235 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: clear wdev->cqm_config pointer on free

When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2025

The vulnerability identified as CVE-2024-50235 represents a critical double-free condition within the Linux kernel's wireless subsystem, specifically affecting the cfg80211 configuration framework. This issue manifests in the wireless device management code where the wdev->cqm_config pointer is not properly cleared during the cleanup process when unregistering wireless devices. The root cause stems from improper memory management practices that fail to account for the potential reuse of network device structures across different network namespaces, creating a scenario where the same memory location could be freed twice.

The technical flaw occurs within the wireless device deregistration pathway where the kernel fails to nullify the wdev->cqm_config pointer after freeing the associated memory structure. This oversight creates a race condition scenario that can be exploited when the same network device structure is re-registered within a different network namespace and subsequently destroyed again. The underlying mechanism involves the cfg80211 subsystem's handling of wireless device configurations and connection quality monitoring parameters, where the cqm_config structure contains critical configuration data for wireless connection quality management. When the unregister process executes, it frees the memory but leaves the pointer in an invalid state, allowing subsequent operations to attempt to free the same memory region a second time.

This vulnerability directly impacts the stability and security of Linux systems running wireless networking capabilities, as it can lead to system crashes, memory corruption, and potentially arbitrary code execution under specific conditions. The operational impact extends beyond simple system instability, as it affects network connectivity and wireless device management functionality across multiple network namespaces. The double-free condition creates a memory corruption vulnerability that could be leveraged by malicious actors to execute arbitrary code with kernel privileges, particularly in environments where wireless networking is actively used and network namespaces are frequently created and destroyed.

The vulnerability aligns with CWE-415, which describes double free conditions in memory management, and presents characteristics consistent with ATT&CK technique T1059.007 for kernel-level code execution. The issue demonstrates poor resource management practices within the Linux kernel's wireless subsystem, specifically in the cfg80211 framework that handles wireless device configuration and management. Proper mitigation requires ensuring that all pointers are properly cleared after memory deallocation, implementing proper reference counting mechanisms, and validating pointer states before memory operations. The fix involves adding a null pointer assignment after freeing the cqm_config structure, preventing subsequent attempts to free already-released memory.

The resolution addresses fundamental memory management principles by ensuring proper pointer state management during device lifecycle operations. This fix prevents the scenario where a wireless device structure could be re-registered in a different namespace, then destroyed again, leading to the double-free condition. The implementation requires careful attention to network namespace handling and device re-registration processes, ensuring that all references to freed memory are properly invalidated. This vulnerability highlights the importance of proper memory management in kernel space, where improper handling of pointers and memory structures can lead to critical security implications and system instability. The fix represents a standard defensive programming practice that prevents memory corruption through proper pointer invalidation after deallocation, a pattern commonly required in kernel development to maintain system integrity and prevent exploitation of memory management vulnerabilities.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00243

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!