CVE-2024-57899
Published: 15 January 2025
Summary
CVE-2024-57899 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2024-57899 is a vulnerability in the Linux kernel's mac80211 subsystem that causes corruption of MBSS (multi-BSS) changed flags specifically on 32-bit systems. The issue arises because an unsigned long is 4 bytes while a u64 is 8 bytes, leading the for_each_set_bit macro to incorrectly search a 32-bit variable as if it were 64 bits, resulting in erroneous bit detection. This affects Wi-Fi functionality, particularly in ieee80211_link_info_change_notify during mesh operations, as evidenced by the provided call trace showing kernel exceptions like exc_overflow and exc_invalid_op.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored by CVSS 3.1 at 7.8. Exploitation likely triggers kernel crashes or data corruption in Wi-Fi mesh handling, enabling denial of service or further compromise from a local context.
Kernel stable patches address the issue by ensuring the bits variable size is correctly adjusted for each architecture, as detailed in the referenced commits: https://git.kernel.org/stable/c/36b739637d7042843f9df57212ecee6ed6e0d4b2, https://git.kernel.org/stable/c/49dba1ded8dd5a6a12748631403240b2ab245c34, and https://git.kernel.org/stable/c/86772872f9f5097cd03d0e1c6813238bd38c250b. Security practitioners should apply these upstream fixes to affected 32-bit Linux kernels.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53802
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. Therefore,…
more
when using or_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE), the code is incorrectly searching for a bit in a 32-bit variable that is expected to be 64 bits in size, leading to incorrect bit finding. Solution: Ensure that the size of the bits variable is correctly adjusted for each architecture. Call Trace: ? show_regs+0x54/0x58 ? __warn+0x6b/0xd4 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? report_bug+0x113/0x150 ? exc_overflow+0x30/0x30 ? handle_bug+0x27/0x44 ? exc_invalid_op+0x18/0x50 ? handle_exception+0xf6/0xf6 ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? exc_overflow+0x30/0x30 ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211] ? ieee80211_mesh_work+0xff/0x260 [mac80211] ? cfg80211_wiphy_work+0x72/0x98 [cfg80211] ? process_one_work+0xf1/0x1fc ? worker_thread+0x2c0/0x3b4 ? kthread+0xc7/0xf0 ? mod_delayed_work_on+0x4c/0x4c ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork+0x24/0x38 ? kthread_complete_and_exit+0x14/0x14 ? ret_from_fork_asm+0xf/0x14 ? entry_INT80_32+0xf0/0xf0 [restore no-op path for no changes]
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel bug in mac80211 enables privilege escalation via memory corruption or DoS via crashes in mesh/Wi-Fi handling on 32-bit systems.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-57899 by requiring timely testing and deployment of kernel patches that correct the 32-bit unsigned long/u64 size mismatch in mac80211's for_each_set_bit usage.
Vulnerability scanning identifies the presence of CVE-2024-57899 in affected 32-bit Linux kernels, enabling proactive remediation before local exploitation.
System monitoring detects exploitation indicators such as kernel exc_overflow and exc_invalid_op exceptions in ieee80211_link_info_change_notify and ieee80211_mesh_work from the CVE call trace.