CVE-2024-57995 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()
In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario.
Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif().
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability identified as CVE-2024-57995 resides within the Linux kernel's ath12k wireless driver component, specifically affecting the ath12k_mac_assign_vif_to_vdev() function. This flaw represents a classic read-after-free vulnerability that occurs during wireless interface management operations. The issue manifests when a virtual interface (vif) is being reassigned across different wireless radio devices within the same hardware platform. The ath12k driver, which supports Qualcomm's wireless networking chips including the QCN9274 chipset, handles complex radio resource management where virtual interfaces must be dynamically assigned and reassigned between physical radio devices.
The technical execution of this vulnerability begins with the creation of an arvif (associated radio virtual interface) structure on one radio device. When the system determines that this virtual interface needs to be moved to a different radio, the ath12k_mac_unassign_link_vif() function is invoked to cleanly remove the interface from its current radio assignment. This unassignment process includes freeing the memory associated with the arvif pointer, effectively making it invalid. However, the subsequent code path in ath12k_mac_assign_vif_to_vdev() continues to reference this freed arvif pointer through a conditional check operation, creating a read-after-free condition that can lead to unpredictable behavior and potential exploitation.
This vulnerability directly relates to CWE-416, which defines the condition where a pointer is used after it has been freed, and falls under the broader category of memory safety issues in kernel space. The operational impact of this flaw extends beyond simple memory corruption, as it could potentially allow malicious actors to manipulate wireless interface assignments and possibly escalate privileges through kernel memory corruption attacks. The vulnerability affects wireless networking operations in kernel versions that include the affected ath12k driver implementation, particularly impacting devices utilizing Qualcomm's QCN9274 hardware platform with the specified firmware version. The memory corruption scenario could lead to system instability, denial of service conditions, or potentially more severe exploitation if combined with other vulnerabilities in the wireless subsystem.
The fix implemented addresses this issue by reordering the code execution flow to ensure that all checks and operations involving the arvif pointer occur after the pointer has been properly re-established through the ath12k_mac_assign_link_vif() function call. This defensive programming approach prevents the use of freed memory references and eliminates the read-after-free condition. The mitigation strategy essentially ensures proper temporal ordering of memory operations, which aligns with established security practices for kernel memory management. System administrators should update their kernel versions to include this fix, particularly those operating wireless infrastructure or devices that utilize Qualcomm's QCN9274 chipset. The solution demonstrates proper secure coding practices that should be applied throughout kernel drivers to prevent similar memory safety issues in wireless networking components. The vulnerability affects the broader ATT&CK framework category of privilege escalation through kernel exploits, specifically targeting the T1068 technique for local privilege escalation by exploiting kernel memory corruption vulnerabilities in wireless subsystem drivers.