CVE-2024-58097 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix RCU stall while reaping monitor destination ring
While processing the monitor destination ring, MSDUs are reaped from the link descriptor based on the corresponding buf_id.
However, sometimes the driver cannot obtain a valid buffer corresponding to the buf_id received from the hardware. This causes an infinite loop in the destination processing, resulting in a kernel crash.
kernel log: ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed
Fix this by skipping the problematic buf_id and reaping the next entry, replacing the break with the next MSDU processing.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability CVE-2024-58097 affects the Linux kernel's wireless subsystem, specifically within the ath11k driver implementation for Qualcomm wireless network adapters. This issue manifests as a race condition and resource management flaw that can lead to system instability and potential denial of service conditions. The vulnerability occurs during the processing of monitor destination rings, which are critical components in wireless network monitoring and packet capture operations. The ath11k driver, which supports Qualcomm's Wi-Fi 6E and Wi-Fi 7 wireless chipsets, handles wireless packet processing through complex descriptor management systems that coordinate between hardware and software components.
The technical flaw stems from improper error handling within the monitor destination ring processing logic where the driver attempts to reap MSDUs (Micro-System Data Units) from link descriptors using buf_id values provided by hardware. When the driver encounters an invalid buf_id value that cannot be resolved to a valid buffer, it enters an infinite loop rather than gracefully handling the error condition. This specific scenario occurs when the hardware provides a buf_id that does not correspond to any currently allocated buffer in the driver's memory management system. The root cause lies in the absence of proper validation and error recovery mechanisms, causing the processing loop to repeatedly attempt the same invalid operation without advancing to subsequent entries.
The operational impact of this vulnerability is significant as it can cause complete system crashes or lockups during active wireless monitoring operations. The kernel log entries demonstrate the repetitive nature of the error, showing the driver repeatedly logging "invalid buf_id 309" followed by "data dp_rx_monitor_link_desc_return failed" messages, indicating a clear loop condition. This type of infinite loop represents a classic race condition scenario that can be exploited to cause system instability, particularly in environments where wireless monitoring is actively used. The vulnerability affects multiple Qualcomm wireless chipsets including the WCN6855 and QCN9074 hardware variants, making it a widespread concern across various wireless networking equipment.
The fix implemented addresses this issue by modifying the error handling behavior to skip problematic buf_id values and proceed to process the next available entry rather than breaking out of the processing loop. This approach follows established principles for handling corrupted or invalid data in kernel space operations, preventing the infinite loop condition that leads to system crashes. The solution aligns with common software engineering practices for robust error recovery and represents a defensive programming approach that maintains system stability even when encountering unexpected hardware behavior. This fix directly addresses the root cause identified in the vulnerability rather than merely masking symptoms, ensuring that legitimate packet processing can continue uninterrupted.
From a cybersecurity perspective, this vulnerability falls under CWE-835, which covers infinite loops in software, and relates to the broader category of resource exhaustion attacks that can lead to denial of service conditions. The ATT&CK framework would classify this vulnerability under T1499.004, which involves network denial of service attacks, as the infinite loop can cause complete system lockup. The vulnerability demonstrates the critical importance of proper error handling in kernel drivers, particularly those managing hardware interfaces where hardware malfunctions or unexpected states can occur. The fix ensures that wireless monitoring operations remain stable and that the system can recover gracefully from hardware communication anomalies, maintaining the availability of wireless networking services during normal operations. This represents a fundamental improvement in the robustness of wireless network drivers and demonstrates the importance of comprehensive error recovery mechanisms in real-time embedded systems.