CVE-2024-58063 in Linux
Summary
by MITRE • 03/06/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: fix memory leaks and invalid access at probe error path
Deinitialize at reverse order when probe fails.
When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue.
And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked.
Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability CVE-2024-58063 affects the linux kernel's rtlwifi wireless driver component and represents a critical memory management issue within the device initialization error handling path. This flaw occurs during the probe function execution when the wireless hardware is being initialized, specifically when the software variable initialization fails. The vulnerability stems from improper resource cleanup sequencing during error conditions, creating potential memory leaks and invalid memory access patterns that could compromise system stability and security.
The technical flaw manifests in the rtlwifi driver's probe error handling mechanism where resources are not properly deinitialized in the correct order when initialization fails. When init_sw_vars function encounters an error, the driver incorrectly attempts to call rtl_deinit_core which subsequently destroys the rtl_wq workqueue, leading to invalid memory access patterns. The proper sequence should involve calling rtl_pci_deinit and deinit_sw_vars in the correct order to prevent memory leaks, rather than attempting to clean up resources that have already been destroyed. This improper resource management creates a scenario where memory allocated during initialization remains unreleased, potentially leading to memory exhaustion over time.
The operational impact of this vulnerability extends beyond simple memory leaks to potentially enable denial of service conditions and could provide attackers with opportunities to exploit the memory management inconsistencies. When the probe function fails, the improper cleanup sequence means that PCI driver data remains set even though the underlying resources have been partially or fully released, creating orphaned memory references that could be exploited. This vulnerability particularly affects systems running linux kernel versions that include the rtlwifi driver, making it a widespread concern for wireless network connectivity and system stability.
Mitigation strategies should focus on applying the kernel patches that correct the resource cleanup order and remove the redundant pci_set_drvdata calls that contribute to the memory leak conditions. System administrators should prioritize updating to kernel versions that contain the fixed rtlwifi driver implementation, which addresses the issue by ensuring proper deinitialization sequence and removing unnecessary driver data management calls. The fix aligns with established security practices for preventing resource leaks and maintaining proper error handling in device drivers, particularly in the context of wireless networking hardware management.
This vulnerability demonstrates the importance of proper resource management in kernel drivers and aligns with CWE-404, which covers improper resource release or unbalanced resource management. The issue also relates to ATT&CK technique T1499.001, which involves network denial of service, as the memory leaks could potentially lead to system instability and service disruption. The fix addresses the root cause by implementing correct reverse order deinitialization and removing redundant PCI driver data management that could create orphaned memory references, thereby reducing the attack surface for potential exploitation.