CVE-2024-57995
Published: 27 February 2025
Summary
CVE-2024-57995 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the use-after-free in ath12k driver through application of specific upstream kernel patches.
Vulnerability scanning detects the ath12k driver flaw corresponding to CVE-2024-57995, enabling prioritized remediation based on risk assessments.
Memory protection techniques such as kernel ASLR and supervisor-mode execution prevention mitigate exploitation of the read-after-free condition for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in ath12k driver directly enables privilege escalation via arbitrary code execution from low-privileged context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif().…
more
This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario. Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Deeper analysisAI
CVE-2024-57995 is a use-after-free vulnerability in the Linux kernel's ath12k WiFi driver, specifically within the ath12k_mac_assign_vif_to_vdev() function. The issue arises when an arvif structure, created on a different radio, is deleted via ath12k_mac_unassign_link_vif(), which frees the arvif pointer. A subsequent check then accesses the freed arvif, resulting in a read-after-free condition. This flaw, classified under CWE-416, affects systems using the ath12k driver and was tested on QCN9274 hw2.0 PCI with WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 firmware.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, which carries a CVSS v3.1 base score of 7.8 (High). Successful exploitation could lead to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling privilege escalation, arbitrary code execution, or system crashes on affected kernels.
Mitigation involves applying the upstream Linux kernel patches provided in the stable repository commits: 57100b87c77818cb0d582a92e5cb32fff85c757d, 5a10971c7645a95f5d5dc23c26fbac4bf61801d0, and f3a95a312419e4f1e992525917da9dbcd247038f. These fixes reorder the logic to move the arvif check after reassignment via ath12k_mac_assign_link_vif(), preventing the read-after-free. Security practitioners should update to kernels incorporating these commits.
Details
- CWE(s)