CVE-2024-35811
Broadcom WiFi use-after-free vulnerability (Use After Free)
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [[email protected]: keep timer delete as is and cancel work just before free]
INFO
Published Date :
May 17, 2024, 2:15 p.m.
Last Modified :
Jan. 14, 2025, 2:23 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-35811.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-35811 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-35811 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jan. 14, 2025
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE NIST CWE-416 Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.7 up to (excluding) 4.19.312 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.274 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.215 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.154 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.84 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.24 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.7.12 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.8 up to (excluding) 6.8.3 Changed Reference Type https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb No Types Assigned https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb Patch Changed Reference Type https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb No Types Assigned https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb Patch Changed Reference Type https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 No Types Assigned https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 Patch Changed Reference Type https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 No Types Assigned https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 Patch Changed Reference Type https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 No Types Assigned https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 Patch Changed Reference Type https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 No Types Assigned https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 Patch Changed Reference Type https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a No Types Assigned https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a Patch Changed Reference Type https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a No Types Assigned https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a Patch Changed Reference Type https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 No Types Assigned https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 Patch Changed Reference Type https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 No Types Assigned https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 Patch Changed Reference Type https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a No Types Assigned https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a Patch Changed Reference Type https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a No Types Assigned https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a Patch Changed Reference Type https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 No Types Assigned https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 Patch Changed Reference Type https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 No Types Assigned https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 Patch Changed Reference Type https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 No Types Assigned https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 Patch Changed Reference Type https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 No Types Assigned https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 Patch Changed Reference Type https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa No Types Assigned https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa Patch Changed Reference Type https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa No Types Assigned https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa Patch Changed Reference Type https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html No Types Assigned https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List Changed Reference Type https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html No Types Assigned https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb Added Reference https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 Added Reference https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 Added Reference https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a Added Reference https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 Added Reference https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a Added Reference https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 Added Reference https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 Added Reference https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Nov. 05, 2024
Action Type Old Value New Value Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 27, 2024
Action Type Old Value New Value Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned] -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 25, 2024
Action Type Old Value New Value Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned] -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 29, 2024
Action Type Old Value New Value -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 17, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [[email protected]: keep timer delete as is and cancel work just before free] Added Reference kernel.org https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-35811 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-35811
weaknesses.