CVE-2024-50235 in Linux
Summary
by MITRE • 11/09/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: clear wdev->cqm_config pointer on free
When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2025
The vulnerability identified as CVE-2024-50235 represents a critical double-free condition within the Linux kernel's wireless subsystem, specifically affecting the cfg80211 configuration framework. This issue manifests in the wireless device management code where the wdev->cqm_config pointer is not properly cleared during the cleanup process when unregistering wireless devices. The root cause stems from improper memory management practices that fail to account for the potential reuse of network device structures across different network namespaces, creating a scenario where the same memory location could be freed twice.
The technical flaw occurs within the wireless device deregistration pathway where the kernel fails to nullify the wdev->cqm_config pointer after freeing the associated memory structure. This oversight creates a race condition scenario that can be exploited when the same network device structure is re-registered within a different network namespace and subsequently destroyed again. The underlying mechanism involves the cfg80211 subsystem's handling of wireless device configurations and connection quality monitoring parameters, where the cqm_config structure contains critical configuration data for wireless connection quality management. When the unregister process executes, it frees the memory but leaves the pointer in an invalid state, allowing subsequent operations to attempt to free the same memory region a second time.
This vulnerability directly impacts the stability and security of Linux systems running wireless networking capabilities, as it can lead to system crashes, memory corruption, and potentially arbitrary code execution under specific conditions. The operational impact extends beyond simple system instability, as it affects network connectivity and wireless device management functionality across multiple network namespaces. The double-free condition creates a memory corruption vulnerability that could be leveraged by malicious actors to execute arbitrary code with kernel privileges, particularly in environments where wireless networking is actively used and network namespaces are frequently created and destroyed.
The vulnerability aligns with CWE-415, which describes double free conditions in memory management, and presents characteristics consistent with ATT&CK technique T1059.007 for kernel-level code execution. The issue demonstrates poor resource management practices within the Linux kernel's wireless subsystem, specifically in the cfg80211 framework that handles wireless device configuration and management. Proper mitigation requires ensuring that all pointers are properly cleared after memory deallocation, implementing proper reference counting mechanisms, and validating pointer states before memory operations. The fix involves adding a null pointer assignment after freeing the cqm_config structure, preventing subsequent attempts to free already-released memory.
The resolution addresses fundamental memory management principles by ensuring proper pointer state management during device lifecycle operations. This fix prevents the scenario where a wireless device structure could be re-registered in a different namespace, then destroyed again, leading to the double-free condition. The implementation requires careful attention to network namespace handling and device re-registration processes, ensuring that all references to freed memory are properly invalidated. This vulnerability highlights the importance of proper memory management in kernel space, where improper handling of pointers and memory structures can lead to critical security implications and system instability. The fix represents a standard defensive programming practice that prevents memory corruption through proper pointer invalidation after deallocation, a pattern commonly required in kernel development to maintain system integrity and prevent exploitation of memory management vulnerabilities.