CVE-2024-58096 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode

ath11k_hal_srng_* should be used with srng->lock to protect srng data.

For ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(), they use ath11k_hal_srng_* for many times but never call srng->lock.

So when running (full) monitor mode, warning will occur: RIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
Call Trace: ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k]
? idr_alloc_u32+0x97/0xd0 ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k]
ath11k_dp_service_srng+0x289/0x5a0 [ath11k]
ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k]
__napi_poll+0x30/0x1f0 net_rx_action+0x198/0x320 __do_softirq+0xdd/0x319

So add srng->lock for them to avoid such warnings.

Inorder to fetch the srng->lock, should change srng's definition from 'void' to 'struct hal_srng'. And initialize them elsewhere to prevent one line of code from being too long. This is consistent with other ring process functions, such as ath11k_dp_process_rx().

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability identified as CVE-2024-58096 affects the Linux kernel's ath11k wireless driver implementation, specifically within the WiFi subsystem. This issue manifests as a race condition in monitor mode operations where multiple threads or processes access shared ring buffer data structures without proper synchronization mechanisms. The problem stems from the absence of appropriate locking mechanisms when accessing hardware receive ring structures during wireless packet processing.

The technical flaw resides in the ath11k driver's handling of hardware ring buffers during monitor mode operations. The functions ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx() perform multiple calls to ath11k_hal_srng_* APIs to access ring buffer data but fail to acquire the necessary srng->lock before performing these operations. This unprotected access creates a scenario where concurrent access to shared ring buffer structures can result in inconsistent data states and potential memory corruption issues. The kernel's call trace reveals that the issue occurs during ath11k_hal_srng_dst_peek function execution, indicating that the ring buffer peek operation is being performed without proper locking.

The operational impact of this vulnerability extends beyond simple warning messages to potentially compromise system stability and data integrity. When operating in monitor mode, the wireless driver generates warning messages indicating potential race conditions in the hardware ring buffer management. These warnings suggest that the driver may experience data corruption or inconsistent state management when multiple threads attempt to access the same ring buffer structures simultaneously. The vulnerability affects hardware platforms including WCN6855 and QCN9074, indicating a broad impact across Qualcomm's wireless chipset family. The race condition could potentially lead to packet loss, driver crashes, or in worst-case scenarios, system instability.

The fix implemented for CVE-2024-58096 involves adding proper locking mechanisms to protect access to hardware ring buffer structures during monitor mode operations. The solution requires changing the ring buffer structure definition from void to struct hal_srng and initializing these structures elsewhere in the codebase to maintain code readability and prevent overly long lines. This approach aligns with existing patterns used in other ring processing functions within the same driver, such as ath11k_dp_process_rx, ensuring consistency in the codebase. The implementation follows established security practices by ensuring proper mutual exclusion when accessing shared hardware resources, preventing concurrent modifications to ring buffer structures that could lead to data corruption or inconsistent states.

This vulnerability demonstrates characteristics consistent with CWE-362, which describes a race condition where multiple threads or processes access shared resources without proper synchronization. The issue also relates to ATT&CK technique T1547.001, which involves privilege escalation through kernel-mode exploitation, as improper locking mechanisms in kernel drivers can create opportunities for system instability or privilege escalation. The fix represents a standard defensive programming approach to prevent concurrent access issues in kernel space, ensuring that hardware ring buffer operations maintain data integrity during high-concurrency scenarios. The solution maintains backward compatibility while strengthening the driver's resilience against race conditions in wireless monitor mode operations.

Responsible

Linux

Reservation

03/06/2025

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00167

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!